HostedDB - Dedicated UNIX Servers

index_141
UNCLASSIFIED Implementing Security on Cisco Routers  Version 1.0g  UNCLASSIFIED 141   Authorization includes one-time authorization, authorization for each service, and authorization for each user.  Additionally, authorization can only be configured using AAA.  Authorization method lists can include RADIUS and TACACS+ security protocols along with Kerberos Instance Maps, if-authenticated, and local (which is very limited) methods. As with authentication, method lists define what authorization protocols will be used and in what order.  Authorization commands with method lists do not need to be named or use default.  If they are unnamed they automatically apply to all interfaces and lines for that type of traffic.  There is a special case for the console line, if a user has been authenticated when logging into the console line then authorization will not be used (even if configured).  Default method lists are applied to all lines and interfaces for that particular authorization type.  But named method lists, other than default must be applied to the interface or line to be invoked.  AAA authorization types are: § exec – which controls the users ability to run an EXEC shell. § commands <level> – which controls access to all the commands at the specified privilege level. § network – enables authorization for all network related services like: PPP, PPP NCP’s, SLIP, and ARA Protocols. § reverse-access – controls access to all reverse access connections like reverse Telnet. Authorization lists are specific to the authorization type which is being defined.  If no authorization list is defined for the authorization type then no authorization will occur for that type. Prerequisites to AAA authorization:  enable AAA services, configure AAA authentication (since authorization relies on authentication's output), define security servers, and define the rights for each user.  The RADIUS and TACACS+ security servers, as described in Section 4.6.4, use attribute-value pairs to define a user's rights.  Authorization works by creating a list of attributes which describe what the user is allowed to do.  When a user logs in and has been identified by authentication, then the security server database will be used to control access to various network components and services as defined by the stored attributes. For more information about configuring authorization using AAA, refer to the "Configuring Authorization" chapter in the Security Configuration Guide. Accounting AAA accounting is used for logging and tracking the activities of users (people or other network components) using a network resource.  These logs can be used for network management, security analysis, resource usage tracking, and reporting.