`aaa authorization commands`

Syntax

aaa authorization commands <CONNECTION-TYPE> {none | group <GROUP-LIST>}

no aaa authorization commands <CONNECTION-TYPE>

Description

Defines authorization as being local RBAC (with the name none) (the default). Or defines a sequence of remote AAA servers to be accessed for authorization purposes. Each available connection type (channel) can be configured individually as either local (by specifying none) or using remote AAA server groups. All server groups named in your command, must exist. This command can be issued multiple times, once for each connection type. Local (specified as none) is always available for any connection type not configured for remote AAA authorization.

The no form of this command removes for the specified connection type, any defined remote AAA server group authorization sequence. Local RBAC authorization is available for connection types without a configured remote AAA server group list (whether default or for the specific connection type).

NOTE: Although only TACACS+ servers are supported for remote authorization, local RBAC authorization can be used with remote RADIUS authentication.

Command context

config

Parameters

<CONNECTION-TYPE>

One of these connection types (channels):

default: Defines a list of authorization server groups to be used for the default connection type. This configuration applies to all other connection types (console, ssh) that are not explicitly configured with this command. For example, if you do not use aaa authorization commands console... to define the console authorization list, then this default configuration is used for console.

console: Defines a list of authorization server groups to be used for the console connection type.

ssh: Defines a list of authorization server groups to be used for the ssh connection type.

none

Selects local RBAC authorization.

group <GROUP-LIST>

Specifies the list of remote AAA server group names. Predefined remote AAA group name tacacs is available. User-defined TACACS+ server group names may also be used. The remote AAA server groups are accessed in the order that the group names are listed in this command. Within each group, the servers are accessed in the order in which the servers were added to the group. Server groups are defined using command aaa server group and servers are added to a server group with the command server.

It is recommended to always include the special name none as the last name in the group list. If none is omitted, and no remote AAA server is reachable, authorization will not be possible.

Authority

Administrators

Examples

Configuring local RBAC authorization (by specifying none) for the default connection type:

switch(config)# aaa authorization commands default none

Configuring local RBAC authorization (by specifying none) for the console connection type:

switch(config)# aaa authorization commands console none