AAA authorization provides administrators with the power to limit the services that are available to users. After authorization is enabled, the network access server uses the authorization information that was supplied to it by the security server based on the user’s profile. This allows the network access server to limit the access granted to the user based on the information in the user’s profile.
Just as with authentication method lists are used to define the ways and the sequence in which authorization will be performed. Method lists enable you to designate one or more security protocols to be used for authorization, thus ensuring a backup system in case the initial method fails. Cisco IOS software uses the first method listed to authorize users for specific network services; if that method fails to respond, the Cisco IOS software selects the next method listed in the method list. This process continues until there is successful communication with a listed authorization method or until all methods defined are exhausted.
Use the aaa authorization global configuration command to define the parameters that determine what clients are allowed to do. To configure authorization, perform the following steps (Steps 4 and 5 are optional):
1.Enable AAA by using the aaa new−model global configuration command and configuring any security protocol parameters, such as the key value. This step and the steps used to configure the key value were outlined in the sections on configuring TACACS+ and RADIUS.
2.Configure AAA authentication as described in the “Configuring Authentication” section. Authorization generally takes place after authentication and relies on authentication to work properly.
3.Use the following command to enable authorization:
aaa authorization <auth−proxy|network|exec|commands> − <level|reverse−access|configuration|ipmobile> <default|list−name> group <if− authen|none|local|tacacs+|radius>
4.Define the rights associated with specific users by using the username command if you are using local authorization.
5.Use the no aaa authorization config−commands command to stop the network access server from attempting configuration command authorization. There are some configuration commands that are identical to some EXEC−level commands; this can cause some confusion in the authorization process because the aaa authorization command with the keyword commands attempts authorization for all EXEC−level commands; this includes global configuration commands associated with a specific privilege level.
The command parameters listed in Step 3 are described in Table 2.1.
Table 2.1: Authorization command parameters.
Author−proxy Used to apply policies to specific users
Network Used for network services, such as PPP
Exec Used for starting the EXEC process
Commands Used for EXEC mode commands
Reverse−access Used for reverse Telnet sessions, such as on a terminal server
Configuration Used for downloading configurations from the security server
Ipmobile Used for IP mobile services
If−authenticated Allows user to access function if the user is already authenticated
None No authorization performed
Local Uses the local database for authorization
tacacs+ Uses the TACACS+ database for authorization
radius Uses the RADIUS database for authorization
Figure 2.10 displays a network in which multiple users are connected to the corporate office via dial−up and the Internet. After the initial authentication phase, limitations must be placed on each user’s session for security purposes. Some users should be allowed full access to the network and networking devices; such is the case with administrators. Other remote users need to be provided with the services that are deemed necessary to perform their job functions. This is done through the use of authorization. Continuing with the examples that were discussed in the section on configuring authentication, the network access server should be configured so that all users connecting to the network are authorized for the proper services via the security server. This can be accomplished using the configuration in Listing 2.8.
Listing 2.8: Authorization configuration.
#username James privilege 15 password letmein
#username admin privilege 15 password adim
#username John privilege 15 password cto
#aaa authorization exec default if−authenticated tacacs+ local
#aaa authorization exec ADMIN_ONLY none
#aaa authorization commands 15 ADMIN if−authenticated tacacs+
#aaa authorization commands 8 Associate tacacs+ local none
#aaa authorization network default tacacs+ local none
# line con 0
#authorization exec ADMIN_ONLY
The configuration in Listing 2.8 defines three users within the local security database of the network access server. The first authorization command uses the default method list to authorize the EXEC process for all interfaces and lines if the user has already been authenticated during the authentication phase. The second authorization command is applied to the console port of the network access server and overrides the default method list. It creates a named method list called ADMIN_ONLY and specifies that no authorization is to take place. The third authorization command creates a method list named ADMIN and authorizes all level 15 commands if the remote client has already authenticated. If the remote client has not already authenticated, the access server will attempt to authorize the remote client via the TACACS+ security server. If the access server does not receive a response from the security server, it will attempt to authorize the remote client using the locally configured database. The fourth authorization command is similar to the second, only it is authorizing all commands associated with level 8 privileges. The final authorization command that is configured uses the default method list to authorize all network services the remote client attempts to use. It accomplishes this by authorizing the remote client using the configured TACACS+ security server, and if there is no response from the security server, it will attempt to authorize the client by looking into its locally configured security database.
Consider this scenario: James is at home one night watching a really close football game on the television (it’s a two−point game in the fourth quarter with two minutes to go), and all at once, the phone rings—it is someone from his network operations center calling to inform him that she is having an issue with a couple of devices on the network. James dials into the network to have a look around. After he connects to the network access server and it uses the configured methods of authentication to authenticate him, James enters privileged mode on the network access server. The process the network access server used to authorize James can be seen in the output of
Listing 2.9, using the debug aaa authorization command.
Listing 2.9: Authorization process.
Seminole#debug aaa authorization
AAA Authorization debugging is on\
: AAA: parse name=tty2 idb type=−1 tty=−1
: AAA: name=tty2 flags=0×11 type=5 shelf=0 slot=0 adapter=0 −
: AAA/MEMORY: create_user (0×6251D064) user=” ruser=” −
port=’tty2′ rem_addr=’192.168.11.45′ authen_type=ASCII −
: tty2 AAA/AUTHOR/EXEC (2897440801): Port=’tty2′ list=” −
: AAA/AUTHOR/EXEC: tty2 (2897440801) user=’James’
: tty2 AAA/AUTHOR/EXEC (2897440801): send AV service=shell
: tty2 AAA/AUTHOR/EXEC (2897440801): send AV cmd*
: tty2 AAA/AUTHOR/EXEC (2897440801): found list ”default”
: tty2 AAA/AUTHOR/EXEC (2897440801): Method=tacacs+ (tacacs+)
: AAA/AUTHOR/TAC+: (2897440801): user=James
: AAA/AUTHOR/TAC+: (2897440801): send AV service=shell
: AAA/AUTHOR/TAC+: (2897440801): send AV cmd*
: AAA/AUTHOR (2897440801): Post authorization status = PASS_ADD
: AAA/AUTHOR/EXEC: Authorization successful
: AAA/MEMORY: free_user (0×62558A94) user=’James’ ruser=” −
port=’tty2′ rem_addr=’192.168.11.45′ authen_type=ASCII −
Notice that the access server first allocates a portion of memory in order to create the user. The network access server then determines that the user is attempting to access privileged exec mode.
This can be determined by the output service=EXEC. The access server then determines that the user has a name that equals James. At this point, the network access server determines that method list default is configured and the first configured viable authorization method is to authorize James using the method TACACS+. The network access server passes the TACACS+ security server all of James’s information, and the security server sends back a response of PASS.