aaa authorization commands - 188金宝搏的网址

Syntax

aaa authorization commands{local | none} aaa authorization commandsgroupno aaa authorization commands

Description

Defines authorization as being basic local RBAC (specified asnone), or as full-fledged local RBAC specified aslocal(the default), or as remote TACACS+ (specified withgroup). Each available connection type (channel) can be configured individually. All server groups named in the command, must exist. This command can be issued multiple times, once for each connection type.

Thenoform of this command unconfigures authorization for the specified connection type, reverting to the default oflocal.

NOTE:Although only TACACS+ servers are supported for remote authorization, local authorization (basic or full-fledged) can be used with remote RADIUS authentication.

Command context

config

Parameters

th之一ese connection types (channels):

default: Selects thedefaultconnection type for configuration. This configuration applies to all other connection types (console,ssh) that are not explicitly configured with this command. For example, if you do not useaaa authorization commands console...to define the console authorization list, then this default configuration is used for console.

console: Selects theconsoleconnection type for configuration.

ssh: Selects thesshconnection type for configuration.

local(the default)

When used alone withoutgroup, selects local authorization which can be used to provide authorization for a purely local setup without any remote AAA servers and also for when RADIUS is used for remote Authentication and Accounting but Authorization is local.

When used aftergroup, provides for fallback (to full-fledged local authorization) when every server in every specified TACACS+ server group cannot be reached.

NOTE:

If any TACACS+ server in the specified groups is reachable, but the command fails to be authorized by that server, the command is rejected and local authorization is never attempted. Local authorization is only attempted if every TACACS+ server cannot be reached.

none

When used alone withoutgroup, selects basic local RBAC authorization, for use with the built-in user groups (administrators,operators,auditors).

When used aftergroup, provides for fallback (to basic local RBAC authorization) when every server in every specified TACACS+ server group cannot be reached.

NOTE:

Withnone, for users belonging to user-defined user groups, all commands can be executed regardless of what authorization rules are defined in such groups. For per-command local authorization, uselocalinstead.

group

Specifies the list of remote AAA server group names. Predefined remote AAA group nametacacsis available. User-defined TACACS+ server group names may also be used. The remote AAA server groups are accessed in the order that the group names are listed in this command. Within each group, the servers are accessed in the order in which the servers were added to the group. Server groups are defined using commandaaa server groupand servers are added to a server group using commandserver.

It is recommended to always include either the special namelocalornoneas the last name in the group list. If bothlocalandnoneare omitted, and no remote AAA server is reachable (or the first reachable server cannot authorize the command), command execution for the current user will not be possible.

Authority

Administrators or local user group members with execution rights for this command.

Examples

设置默认的授权local:

switch(config)#aaa authorization commands default local

Setting the authorization for the SSH interface tonone:

switch(config)#aaa authorization commands ssh none