Table of Contents
Advertisement
Command Reference Guide
Default Values
By default, no AAA authorization method lists are defined or applied.
Command History
Release 11.1
Functional Notes
AAA authorization is an AAA service that helps limit the network services available to users. Authorization
works by retrieving information from the user's profile (stored either on the local database or security
server) and uses that information to determine the areas of the network to which the user is allowed
access. In AOS, AAA authorization can limit the commands available to a specific user and specify
whether or not users can access privileged command line interface (CLI) sessions. Limiting available
commands on a per-user basis is achieved by using the aaa authorization commands command to
create a default or named method list that specifies which level of commands (Level 1 or Level 15) are
authorized.
The user command privilege level (1 or 15) must be defined in addition to specifying all of
the commands available on a per-user basis in the configuration of the TACACS+ server.
Commands of a particular level are not checked for authorization unless explicitly defined
in the configuration with a method list. For example, if a method list is defined for Level 1
commands but not Level 15, then a user is able to enter any Level 15 commands since no
authorization takes place due to the lack of a Level 15 commands method list. The same
user will only be allowed to enter the Level 1 commands configured for the user in the
Level 1 commands method list.
Before AAA authorization method lists can be configured or applied, AAA must be enabled. To enable
AAA, use the command
Each AAA authorization method list relies on a combination of authorization methods. Each method must
be entered into the list in the order that they are to be performed. Although these methods can be entered
in any order, each can only be used once. The exception is the group <name> method that can be entered
multiple times to accommodate multiple configured server groups. If the unit fails to make a connection
with the first group listed, it will try the next group specified.
For security reasons, ADTRAN recommends that the local authentication method be used
instead of the none authentication method. Using the local authentication method
prevents unauthorized users from gaining access to the device during a period in which
the links to all authentication servers are down. The local user database contained within
the AOS device will always be available and serves as the last line of defense.
60000CRG0-35E
Command was introduced.
aaa on on page
889.
Copyright © 2012 ADTRAN, Inc.
Global Configuration Mode Command Set
879
- Quick Links:
- Basic Mode Command Set
Hide quick links:
Advertisement
Table of Contents
