Specifications

ManualsBrandsCisco ManualsComputer equipmentAS5800

171

172

173

174

175

176

177

178

179

180

Table Of Contents

4-35

Cisco AS5800 Operations, Administration, Maintenance, and Provisioning Guide

DOC-7810814=

Chapter 4 Administration

Access Service Security

Timesaver If authentication has not been set up for a user, per-user authorization attributes are not

enabled for that user. That is, if you want a user to obtain authorization before gaining

access to network resources, you must first require that the user provide authentication. For

example, if you want to specify the aaa authorization network tacacs+ (or radius)

command, you must first specify the aaa authentication {ppp} default if-needed tacacs+

(or radius) command.

Configuring Authorization on the Security Server

You typically have the three following methods for configuring default authorization on the security

server:

• To override the default denial or authorization from a nonexistent user, specify authorization at the

top level of the configuration file:

default authorization = permit

• At the user level, inside the braces of the user declaration, the default for a user who does not have

a service or command explicitly authorized is to deny that service or command. To permit it:

default service = permit

• At the service authorization level, arguments are processed according to the following algorithm:

For each AV pair sent from the Cisco AS5800, the following process occurs:

a. If the AV pair from the Cisco AS5800 is mandatory, look for an exact match in the daemons

mandatory list. If found, add the AV pair to the output.

b. If an exact match does not exist, look in the daemons optional list for the first attribute match.

If found, add the Cisco AS5800 AV pair to the output.

c. If no attribute match exists, deny the command if the default is to deny. If the default is permit,

add the Cisco AS5800 AV pair to the output.

d. If the AV pair from the Cisco AS5800 is optional, look for an exact attribute, value match in

the mandatory list. If found, add the daemons AV pair to output.

e. If not found, look for the first attribute match in the mandatory list. If found, add daemons AV

pair to output.

f. If no mandatory match exists, look for an exact attribute, value pair match among the daemons

optional AV pairs. If found, add the daemons matching AV pair to the output.

g. If no exact match exists, locate the first attribute match among the daemons optional AV pairs.

If found, add the daemons matching AV pair to the output.

h. If no match is found, delete the AV pair if default is deny. If the default is permit, add the

Cisco AS5800 AV pair to the output.

i. If there is no attribute match already in the output list after all AV pairs have been processed

for each mandatory daemon AV pair, add the AV pair. Add only one AV pair for each

mandatory attribute.