aaa authorization commands
Syntax
aaa authorization commands <CONNECTION-TYPE> {local | none}
aaa authorization commands <CONNECTION-TYPE> group <GROUP-LIST>
no aaa authorization commands <CONNECTION-TYPE>
Description
Defines authorization as being basic local RBAC (specified as
none
), or as full-fledged local RBAC specified as
local
(the default), or as remote TACACS+ (specified with
group
<GROUP-LIST>
). Each available connection type (channel) can be configured individually. All server groups named in the command, must exist. This command can be issued multiple times, once for each connection type.
The
no
form of this command unconfigures authorization for the specified connection type, reverting to the default of
local
.
Command context
config
Parameters
<CONNECTION-TYPE>
One of these connection types (channels):
default
- Selects the
default
connection type for configuration. This configuration applies to all other connection types (console
,ssh
) that are not explicitly configured with this command. For example, if you do not useaaa authorization commands console...
to define the console authorization list, then this default configuration is used for console.
console
Selects the
console
connection type for configuration.
ssh
Selects the
ssh
connection type for configuration.
local
(the default)When used alone without
group <GROUP-LIST>
, selects local authorization which can be used to provide authorization for a purely local setup without any remote AAA servers and also for when RADIUS is used for remote Authentication and Accounting but Authorization is local.When used aftergroup
, provides for fallback (to full-fledged local authorization) when every server in every specified TACACS+ server group cannot be reached.NOTE:If any TACACS+ server in the specified groups is reachable, but the command fails to be authorized by that server, the command is rejected and local authorization is never attempted. Local authorization is only attempted if every TACACS+ server cannot be reached.
none
When used alone without
group <GROUP-LIST>
, selects basic local RBAC authorization, for use with the built-in user groups (administrators
,operators
,auditors
).When used after
group
, provides for fallback (to basic local RBAC authorization) when every server in every specified TACACS+ server group cannot be reached.NOTE:With
none
, for users belonging to user-defined user groups, all commands can be executed regardless of what authorization rules are defined in such groups. For per-command local authorization, uselocal
instead.group <GROUP-LIST>
Specifies the list of remote AAA server group names. Predefined remote AAA group name
tacacs
is available. User-defined TACACS+ server group names may also be used. The remote AAA server groups are accessed in the order that the group names are listed in this command. Within each group, the servers are accessed in the order in which the servers were added to the group. Server groups are defined using commandaaa server group
and servers are added to a server group using commandserver
.It is recommended to always include either the special name
local
ornone
as the last name in the group list. If bothlocal
andnone
are omitted, and no remote AAA server is reachable (or the first reachable server cannot authorize the command), command execution for the current user will not be possible.
Authority
Administrators or local user group members with execution rights for this command.
Usage
TACACS+ server authorization considerationsUse caution when configuring authorization, as it has no fail through. If the switch is not configured properly, the switch might get into an unusable state in which all command execution is prohibited.
Make sure that all listed TACACS+ servers can authorize users for command execution.
Make sure that credential database changes are promptly synchronized across all TACACS+ servers.
Make sure either
local
ornone
is included as the last name in the group list. If bothlocal
andnone
are omitted, and no remote TACACS+ server is reachable (or the first reachable server cannot authorize), authorization will not be possible.Although not recommended, if you choose to omit both
local
andnone
from the list, and are manipulating configuration files, special caution is necessary. If the source configuration includes TACACS+ authorization and you are copying configuration from an existing switch into the running configuration of a new switch, and you have not yet configured the interface or routing information to reach the TACACS+ server, the switch will enter an unusable state, requiring hard reboot.To avoid getting into this situation that can occur whenlocal
andnone
have been omitted, do either of the following:In the configuration source, delete or comment-out the line configuring remote authorization. Then, after the configuration copy and paste, manually configure authorization.
Move the line configuring the authorization to the end of the source configuration before copying and pasting.
Examples
Defining the default authorization sequence based on a user-defined TACACS+ server group, then the default TACACS+ server group, and finally (as a precaution),
local
authorization:
switch(config)# aaa authorization commands default group tg1 tacacs local All commands will fail if none of the servers in the group list are reachable. Continue (y/n)? y
Defining the console authorization sequence based on two user-defined TACACS+ server groups, and finally (as a precaution),
local
authorization:
switch(config)# aaa authorization commands console group tg1 tg2 local All commands will fail if none of the servers in the group list are reachable. Continue (y/n)? y
Setting the authorization for default to
local
:
switch(config)# aaa authorization commands default local
Setting the authorization for the SSH interface to
none
:
switch(config)# aaa authorization commands ssh none