Table of Contents
Advertisement
Command Reference Guide
Command History
Release 13.1
Functional Notes
AAA authorization is an AAA service that helps limit the network services available to users. Authorization
works by retrieving information from the user's profile (stored either on the local database or security
server) and uses that information to determine the areas of the network to which the user is allowed
access. In AOS, AAA authorization can limit the commands available to a specific user and specify
whether or not users can access privileged CLI sessions. Limiting access to privileged CLI sessions is
achieved by using the aaa authorization exec command to create a default or named method list that
restricts access to Enable mode.
Before AAA authorization method lists can be configured or applied, AAA must be enabled. To enable
AAA, use the command
Each AAA authorization method list relies on a combination of authorization methods. Each method must
be entered into the list in the order that they are to be performed. Although these methods can be entered
in any order, each can only be used once. The exception is the group <name> method that can be entered
multiple times to accommodate multiple configured server groups. If the unit fails to make a connection
with the first group listed, it will try the next group specified.
For security reasons, ADTRAN recommends that the local authentication method be used
instead of the none authentication method. Using the local authentication method
prevents unauthorized users from gaining access to the device during a period in which
the links to all authentication servers are down. The local user database contained within
the AOS device will always be available and serves as the last line of defense.
The two types of method lists created using the aaa authorization exec command are a default list and a
named list. A default list is one that is created and automatically applied to all line interfaces at the global
level. A named method list is one that does not perform any action until it is manually applied to an
interface. Named AAA exec authorization method lists are applied to line interfaces using the
authorization exec command from the appropriate line interface configuration mode
Interface Command Set on page
Interface Command Set on page
To use TACACS+ servers to perform Enable mode authorization, the TACACS+ servers must be
configured prior to creating the method list. You can configure all TACACS+ servers in the system using
the command
tacacs-server on page
command
tacacs-server host on page
use all TACACS+ servers for authorization by using the group tacacs+ method. If you only want to use
some of the available TACACS+ servers for authorization, you can create a named server group and add
the TACACS+ servers to the group. Server groups are created using the command
page 886
and servers are added to the group as outlined in the
3361.
For more information about AAA authorization, or AAA configuration in general, refer to the Configuring
AAA in AOS configuration guide available online at https://supportforums.adtran.com.
60000CRG0-35E
Command was introduced.
aaa on on page
889.
1464,
Line (Telnet) Interface Command Set on page
1481).
1357. You can configure individual TACACS+ servers using the
1358. Once the TACACS+ servers have been configured, you can
Copyright © 2012 ADTRAN, Inc.
Global Configuration Mode Command Set
(Line (Console)
1498, or
aaa group server on
TACACS+ Group Command Set on page
Line (SSH)
884
- Quick Links:
- Basic Mode Command Set
Hide quick links:
Advertisement
Table of Contents
