index_141
UNCLASSIFIED
Implementing Security on Cisco Routers
Version 1.0g
UNCLASSIFIED
141
Authorization includes one-time authorization, authorization for each service, and
authorization for each user. Additionally, authorization can only be configured using
AAA. Authorization method lists can include RADIUS and TACACS+ security
protocols along with Kerberos Instance Maps, if-authenticated, and local (which is
very limited) methods.
As with authentication, method lists define what authorization protocols will be used
and in what order. Authorization commands with method lists do not need to be
named or use default. If they are unnamed they automatically apply to all interfaces
and lines for that type of traffic. There is a special case for the console line, if a user
has been authenticated when logging into the console line then authorization will not
be used (even if configured). Default method lists are applied to all lines and
interfaces for that particular authorization type. But named method lists, other than
default must be applied to the interface or line to be invoked. AAA authorization
types are:
§ exec which controls the users ability to run an EXEC shell.
§ commands <level> which controls access to all the commands at the
specified privilege level.
§ network enables authorization for all network related services like: PPP,
PPP NCPs, SLIP, and ARA Protocols.
§ reverse-access controls access to all reverse access connections like
reverse Telnet.
Authorization lists are specific to the authorization type which is being defined. If no
authorization list is defined for the authorization type then no authorization will occur
for that type.
Prerequisites to AAA authorization: enable AAA services, configure AAA
authentication (since authorization relies on authentication's output), define security
servers, and define the rights for each user. The RADIUS and TACACS+ security
servers, as described in Section 4.6.4, use attribute-value pairs to define a user's
rights. Authorization works by creating a list of attributes which describe what the
user is allowed to do. When a user logs in and has been identified by authentication,
then the security server database will be used to control access to various network
components and services as defined by the stored attributes.
For more information about configuring authorization using AAA, refer to the
"Configuring Authorization" chapter in the Security Configuration Guide.
Accounting
AAA accounting is used for logging and tracking the activities of users (people or
other network components) using a network resource. These logs can be used for
network management, security analysis, resource usage tracking, and reporting.