HostedDB - Dedicated UNIX Servers
index_147
UNCLASSIFIED Implementing Security on Cisco Routers  Version 1.0g  UNCLASSIFIED 147   Scenario 2 – Router with two levels of users (exec and privileged exec) Central(config)# aaa authorization exec default radius Central(config)# aaa authorization commands 15 default radius In both scenarios there was no need to apply the authorization method lists to lines because they are using the default lists.  For scenario 1 there would be additional considerations as described in the Dial-In Users section.  In scenario 2, exec is used to control all access to exec shells on the router and commands 15 is used to control access to privilege level 15 for a more restrictive set of administrators.  The router commands turn on the checks to query the security server on the router but the actual user to authorization privilege mapping occurs on the security server. RADIUS and TACACS+ authorization both define specific rights for users by processing attributes, which are stored in a database on the security server. For both, RADIUS and TACACS+, attributes are defined on the security server, associated with the user, and sent to the network access server where they are applied to the user's connection.  For a list of supported RADIUS attributes, refer to the "RADIUS Attributes" appendix. For a list of supported TACACS+ AV pairs, refer to the "TACACS+ Attribute-Value Pairs" appendix. The local database is populated using the username command.  But there are no useful parameters to set for access to the router from lines (exception would be for dial-in access).  Important: do not use the username name privilege level command since the password will be weakly protected.  Protect higher levels on the router using the enable secret command (see Section 4.1). Also, in the examples above if the RADIUS security server is not available no one will be able to get an exec shell and in scenario 2 no one will be able to run privilege level 15 commands.  There is one very important exception to this, AAA authorization does not apply to the console line.  Even if a named method list is created and applied to the console line authorization will be ignored. Accounting The commands used for AAA accounting are: § aaa accounting {system | network | exec | connection | commands level} {default | list-name} {start-stop | wait- start | stop-only | none} method-list  turns on AAA's accounting services for the specified accounting type. § aaa accounting suppress null-username command prevents accounting records from being generated for those users who do not have usernames associated with them.  (NULL usernames can occur because of accounting records on a protocol translation) § aaa accounting update {newinfo | periodic number} will allow administrators to specify when accounting records are sent to security