Specifications

Table Of Contents

4-37

Cisco AS5800 Operations, Administration, Maintenance, and Provisioning Guide

DOC-7810814=

Chapter 4 Administration

Access Service Security

Specifying Authorization Parameters on a TACACS+ Server

When you configure authorization, you must ensure that the parameters established on the

Cisco AS5800 correspond with those set on the TACACS+ server.

Authorization Examples

The following example uses a TACACS+ server to authorize the use of network services, including PPP.

If the TACACS+ server is not available or has no information about a user, no authorization is

performed, and the user can use all network services.

5800-1(config)# aaa authorization network tacacs+ none

The following example permits the user to run the EXEC process if the user is authenticated. If the user

is not authenticated, the Cisco IOS software defers to a RADIUS server for authorization information.

5800-1(config)# aaa authorization exec if-authenticated radius

The following example configures network authorization. If the TACACS+ server does not respond or

has no information about the username being authorized, the RADIUS server is polled for authorization

information for the user. If the RADIUS server does not respond, the user still can access all network

resources without authorization requirements.

5800-1(config)# aaa authorization network tacacs+ radius none

Table 4-6 Authorization Methods

Authorization Methods Purpose

if-authenticated User is authorized if already authenticated.

local Uses the local database for authorization. The local database is created using

the username privilege command to assign users to a privilege level from

0 to 15, and the privilege level command to assign commands to these

different levels.

none Authorization always succeeds.

radius Uses RADIUS authorization as defined on a RADIUS server.

tacacs+ Uses TACACS+ authorization as defined on a TACACS+ server.