index_146
Router Security Configuration Guide
UNCLASSIFIED
146
UNCLASSIFIED
Version 1.0g
Important: when AAA is turned on, then by default, authentication will use the local
database on all lines. To avoid being locked out of the router make sure you add an
administrator account to the local username name database before enabling AAA
authentication.
Do not use aaa authentication enable default command since the security
server pass phrase is stored in the clear and only enable secret is well protected. Use
the enable secret password to protect all higher privilege levels.
Authorization
The commands used for AAA authorization are:
§ aaa authorization {network | exec | commands level |
reverse-access} {default | list-name} method-list turns on
AAA authorization for the specified type and designates the order in which
authorization methods will be applied.
§ aaa authorization config-commands tells the router to do
authorization on all configuration commands (this is the default mode set
by the aaa authorization commands level command). The no form
of this command will turn off authorization on configuration commands in
the EXEC mode.
§ (line): authorization {arap | commands level | exec |
reverse-access} {default | list-name} applies a specific
authorization type to a line (note: arap is part of the network authorization
type ).
Of the four authorization types, exec and command apply to router access control and
apply to lines, the other two (network and reverse-access) primarily deal with dial-in
and dial-out access control and apply to interfaces. Another network type, arap, is
also applied to lines, and will not be covered. This section will concentrate on exec
and command authorization and section 4.6.3 on Dial-In Users overviews network
and reverse-access authorization.
AAA authorization is currently of limited use for controlling access to routers beyond
the standard authentication mechanisms. There are two primary scenarios where
authorization is useful. First, if the router is used for dial in access, authorization is
useful for controlling who can access network services, etc. and who can access and
configure the router. Second, authorization can control different administrators who
have access to different privilege levels on the router.
Scenario 1 Router with dial-in users, authorization configuration for controlling
access to the router:
Central(config)# aaa authorization exec default radius
Central(config)# aaa authorization network default radius