Configuring Authorization
Specifying the Authorization Method
Authorization methods are defined as optional keywords in the aaa authorization command. You
can specify any of the authorization methods listed in Table 4-8 for both network and EXEC
authorization.
Table 4-8
Method
if-authenticated
none
local
radius
tacacs+
Specifying Authorization Parameters on a TACACS+ Server
When you configure authorization, you must ensure that the parameters established on the access
server correspond with those set on the TACACS+ server.
Authorization Examples
The following example uses a TACACS+ server to authorize the use of network services, including
PPP and ARA. If the TACACS+ server is not available or has no information about a user, no
authorization is performed and the user can use all network services:
The following example permits the user to run the EXEC process if the user is already authenticated.
If the user is not already authenticated, the Cisco IOS software defers to a RADIUS server for
authorization information:
The following example configures network authorization. If the TACACS+ server does not respond
or has no information about the username being authorized, the RADIUS server is polled for
authorization information for the user. If the RADIUS server does not respond, the user still can
access all network resources without authorization requirements.
4-18
Cisco AS5300 Universal Access Server Software Configuration Guide
AAA Authorization Method
Description
User is authorized if already authenticated.
Authorization always succeeds.
Uses the local database for authorization. The local database is created using
the username privilege command to assign users to a privilege level from
0 to 15 and the privilege level command to assign commands to these
different levels.
Uses RADIUS authorization as defined on a RADIUS server.
Uses TACACS+ authorization as defined on a TACACS+ server.
5300(config)# aaa authorization network tacacs+ none
5300(config)# aaa authorization exec if-authenticated radius
5300(config)# aaa authorization network tacacs+ radius none