Table of Contents
Advertisement
Understanding How Authorization Works
TACACS+ Command Authorization
You can require authorization for all commands or for configuration (enable mode) commands only.
Configuration commands include the following:
•
•
•
•
•
•
•
•
•
•
•
•
•
•
The following TACACS+ authorization process occurs for every command that you enter:
•
•
•
RADIUS Authorization
RADIUS has limited authorization. The Service-Type attribute in the authentication protocol provides
authorization information. This attribute is part of the user-profile.
When you login using RADIUS authentication and you do not have Administrative/Shell (6)
Service-Type access, the NAS authenticates you and logs you in to EXEC mode if authentication
succeeds. If you have Administrative/Shell (6) Service-Type access, the NAS authenticates you and logs
you in to privileged mode if authentication succeeds.
Software Configuration Guide—Catalyst 4000 Family, Catalyst 2948G, Catalyst 2980G, Releases 6.3 and 6.4
27-50
copy
clear
commit
configure
delete
download
format
reload
rollback
session
set
squeeze
switch
undelete
If you have disabled the command authorization feature, the TACACS+ server allows you to execute
any command on the switch.
If you have enabled authorization for configuration commands only, the switch verifies that the
argument string matches one of the commands listed above. If there is no match, the switch
completes the command. If there is a match, the switch forwards the command to the NAS for
authorization.
If you have enabled authorization for all commands, the switch forwards the command to the NAS
for authorization.
Chapter 27
Configuring Switch Access Using AAA
78-12647-02
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
