User's Manual
99
Configuring EXEC authorization through AAA
To enable AAA authorization, run aaa authorization. The aaa authorization exec command can create one or
several authorization method lists and enable the EXEC authorization to decide whether the EXEC hull
program is run by the users or not, or decide whether the users are authorized with the privilege when entering
the EXEC hull program. After the authorization method lists are configured, you can apply these lists by running
login authorization. You can run the following command in global configuration mode to start the configuration:
Command Purpose
aaa authorization exec
{
default
| list-
name}method1 [method2...]
Creates the global authorization list.
line
[
console
|
vty
] line-number [ending-line-
number]
Enter the configuration mode of a line.
login authorization
{
default
| list-name}
Applies the authorization list to a line or set of
lines. (In the line configuration mode)
The list-name is a character string used to name the list you are creating. The method keyword is used to
designate the real method for the authorization process. Only when the previously-used method returns the
authorization error can other authorization methods be used. If the authorization fails because of the previous
method, other authorization methods will not be used. If you requires the EXEC shell to be entered even when
all authorization methods returns the authorization errors, designate none as the last authorization method in
the command line.
The default parameter can create a default authentication list, which will be automatically applied to all
interfaces. For example, you can run the following command to designate RADIUS as the default authorization
method of EXEC:
aaa authorization exec default group radius
Note:
If the authorization method list cannot be found during authorization, the authorization will be directly passed
without the authorization service conducted.
The following table lists currently-supported EXEC authorization methods:
Keyword Notes:
group WORD Uses the named server group to conduct authorization.
group radius Uses RADIUS authorization.
group tacacs+ Uses tacacs+ authorization.
local Uses the local database to perform authorization.
if-authenticated Automatically authorizes the authencated user with all required functions.
none Passes the authorization unconditionally.
8.3.3 AAA Authorization Examples