HostedDB - Dedicated UNIX Servers
index_146
Router Security Configuration Guide UNCLASSIFIED 146 UNCLASSIFIED Version 1.0g Important:  when AAA is turned on, then by default, authentication will use the local database on all lines.  To avoid being locked out of the router make sure you add an administrator account to the local username name database before enabling AAA authentication. Do not use aaa authentication enable default command since the security server pass phrase is stored in the clear and only enable secret is well protected.  Use the enable secret password to protect all higher privilege levels. Authorization The commands used for AAA authorization are: § aaa authorization {network | exec | commands level | reverse-access} {default | list-name} method-list turns on AAA authorization for the specified type and designates the order in which authorization methods will be applied. § aaa authorization config-commands tells the router to do authorization on all configuration commands (this is the default mode set by the aaa authorization commands level command).  The no form of this command will turn off authorization on configuration commands in the EXEC mode. § (line): authorization {arap | commands level | exec | reverse-access} {default | list-name} applies a specific authorization type to a line (note: arap is part of the network authorization type ). Of the four authorization types, exec and command apply to router access control and apply to lines, the other two (network and reverse-access) primarily deal with dial-in and dial-out access control and apply to interfaces.  Another network type, arap, is also applied to lines, and will not be covered.  This section will concentrate on exec and command authorization and section 4.6.3 on Dial-In Users overviews network and reverse-access authorization. AAA authorization is currently of limited use for controlling access to routers beyond the standard authentication mechanisms.  There are two primary scenarios where authorization is useful.  First, if the router is used for dial in access, authorization is useful for controlling who can access network services, etc. and who can access and configure the router.  Second, authorization can control different administrators who have access to different privilege levels on the router. Scenario 1 – Router with dial-in users, authorization configuration for controlling access to the router: Central(config)# aaa authorization exec default radius Central(config)# aaa authorization network default radius