Technical data

ManualsBrandsCisco ManualsComputer equipment1604 - 1604 Bridge/router

151

152

153

154

155

156

157

158

159

160

Security Configuration 7-15

Configuring Authorization

Conﬁguring Authorization

You can conﬁgure the access server to restrict user access to the network so that users can only

perform certain functions after successful authentication. As with authentication, authorization can

be used with either a local or remote security database. This guide describes only remote security

server authorization.

A typical conﬁguration most likely uses the EXEC facility and network authorization. EXEC

authorization restricts access to the EXEC, and network authorization restricts access to network

services, including PPP and ARA.

Authorization must be conﬁgured on both the access server and the security daemon. The default

authorization is different on the access server and the security server:

• By default, the access server permits access for every user until you conﬁgure the access server

to make authorization requests to the daemon.

• By default, the daemon denies authorization of anything that is not explicitly permitted.

Therefore, you have to explicitly allow all per-user attributes on the security server.

Timesaver If authentication has not been set up for a user, per-user authorization attributes are not enabled

for that user. That is, if you want a user to authorize himself before he has access to network resources, you

must ﬁrst require that the user authenticate himself. For example, if you want to specify the aaa authorization

network tacacs+ (or radius) command, you must ﬁrst specify the aaa authentication {ppp | arap} default

if-needed tacacs+ (or radius) command.

Conﬁguring Authorization on the Security Server

You typically have three methods for conﬁguring default authorization on the security server. The

following three sample conﬁgurations are entries that could exist in a security server’s conﬁguration

ﬁle:

• To override the default denial or authorization from a non-existent user, specify authorization at

the top level of the conﬁguration ﬁle:

default authorization = permit

• At the user level, inside the braces of the user declaration, the default for a user who does not

have a service or command explicitly authorized is to deny that service or command. To permit it:

default service = permit

• At the service authorization level, arguments are processed according to the following algorithm:

For each AV pair sent from the access server, the following process occurs:

1—If the AV pair from the access server is mandatory, look for an exact match in the daemon’s

mandatory list. If found, add the AV pair to the output.

2—If an exact match doesn’t exist. look in the daemon’s optional list for the ﬁrst attribute match.

If found, add the access server AV pair to the output.

3—If no attribute match exists, deny the command if the default is to deny, or if the default is

permit, add the access server AV pair to the output.

4—If the AV pair from the access server is optional, look for an exact attribute, value match in

the mandatory list. If found, add the daemon’s AV pair to output.

5—If not found, look for the ﬁrst attribute match in the mandatory list. If found, add daemon’s

AV pair to output.