Cisco CRS-1 - Carrier Routing System Router Configuration Manual page 49

Configuring AAA Services on Cisco IOS XR Software
The Cisco IOS XR software attempts authorization with the next listed method only when there is no
Note
response or an error response (not a failure) from the previous method. If authorization fails at any point
in this cycle—meaning that the security server or local username database responds by denying the user
services—the authorization process stops and no other authorization methods are attempted.
Method lists are specific to the type of authorization being requested. Cisco IOS XR software supports
four types of AAA authorization:
•
•
•
•
When you create a named method list, you are defining a particular list of authorization methods for the
indicated authorization type. When defined, method lists must be applied to specific lines or interfaces
before any of the defined methods are performed. Do not use the names of methods, such as TACACS+,
when creating a new method list.
"Command" authorization, as a result of adding a command authorization method list to a line template,
is separate from, and is in addition to, "task-based" authorization, which is performed automatically on
the router. The default behavior for command authorization is none. Even if a default method list is
configured, that method list has to be added to a line template for it to be used.
The aaa authorization commands command causes a request packet containing a series of attribute
value (AV) pairs to be sent to the TACACS+ daemon as part of the authorization process. The daemon
can do one of the following:
•
•
Creation of a Series of Authorization Methods
Use the aaa authorization command to set parameters for authorization and to create named method
lists defining specific authorization methods that can be used for each line or interface.
The Cisco IOS XR software supports the following methods for authorization:
•
•
OL-20382-01
Commands authorization—Applies to the EXEC mode commands a user issues. Command
authorization attempts authorization for all EXEC mode commands.
"Command" authorization is distinct from "task-based" authorization, which is based on the
Note
task profile established during authentication.
EXEC authorization—Applies authorization for starting an EXEC session.
The exec keyword is no longer used to authorize the fault manager service. The
Note
eventmanager keyword (fault manager) is used to authorize the fault manager service. The
exec keyword is used for EXEC authorization.
Network authorization—Applies authorization for network services, such as IKE.
Eventmanager authorization—Applies an authorization method for authorizing an event manager
(fault manager). RADIUS servers are not allowed to be configured for the event manager (fault
manager) authorization. You are allowed to use TACACS+ or locald.
Accept the request as is.
Refuse authorization.
none—The router does not request authorization information; authorization is not performed over
this line or interface.
local—Uses local database for authorization.
Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router
How to Configure AAA Services
SC-43