Configuring Command Authorization On The Switch - Cisco MGX 8850 (PXM1E/PXM45) Configuration Manual

Chapter 9 Switch Operating Procedures
The following example configures authentication through the tacacs+ method:
M8830_SF.2.PXM.a > cnfaaa-authen tacacs+
AAA CONFIGURATION:
Authentication Methods
Authorization Methods
Authorization Type
Default Privilege Level :
Prompt Display
SSH/FTP Message Type
IOS Exclusion List
WARNING: The newly configured authentication/authorization methods will
apply to new session.
Note that the example above did not configure the cisco authentication method, but this method is listed
as the backup for the tacacs+ method in the Authentication Methods line. There is no need to enter the
cisco method when it is the last method to be used.
To return a switch to the default authentication configuration, enter the following command:
M8830_SF.2.PXM.a > cnfaaa-authen default
AAA CONFIGURATION:
Authentication Methods
Authorization Methods
Authorization Type
Default Privilege Level :
Prompt Display
SSH/FTP Message Type
IOS Exclusion List
WARNING: The newly configured authentication/authorization methods will
apply to new session.
Notice the text in the command display that reminds you that changes in the authentication method only
apply to new sessions. This switch behavior prevents instant lockout if you make a configuration
mistake.

Configuring Command Authorization on the Switch

Authorization validates an authenticated user's access to a command each time a command is entered.
When the switch uses an AAA server for authorization, the AAA switch can authorize commands in one
of the following ways:
•
•
Group mode requires less configuration at the AAA server, and it consumes less bandwidth during each
session. When the switch is configured for command mode, the AAA server must be configured to define
the command set available to each user. The advantage to command mode is that you can customize
access for each user. You are not limited to the access options defined on the switch.
To configure authorization, log in using a username with SERVICE_GP privileges or higher and enter
the cnfaaa-author command using the following format:
M8850_LA.7.PXM.a >
Release 5.0.10, OL-3845-01 Rev. B0, August 16, 2004
This configuration has no impact on existing sessions.
This configuration has no impact on existing sessions.
The AAA server sends a switch access privilege level or group ID back to the switch one time for
each login session, and the switch validates all session commands based on that group ID. This
method is called group mode.
The AAA server validates every command the user enters using its own internal configuration to
determine if the user has access to the command. This method is called command mode.
cnfaaa-author <authorType> <method> [<method>...]
Cisco MGX 8850 (PXM1E/PXM45), Cisco MGX 8950, Cisco MGX 8830, and Cisco MGX 8880 Configuration Guide
Managing Remote (TACACS+) Authentication and Authorization
: tacacs+ cisco
: local cisco
: group
NOUSER_GP
: acs
: Inbound ASCII Login
:
: local cisco
: local cisco
: group
NOUSER_GP
: acs
: Inbound ASCII Login
:
9-69