Cisco WS-C4003 Software Guide - Page 403
Understanding How Authorization Works, Authorization Overview
View all Cisco WS-C4003 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 403 highlights
Chapter 27 Configuring Switch Access Using AAA Understanding How Authorization Works Understanding How Authorization Works These sections describe how authorization works: • Authorization Overview, page 27-49 • Authorization Events, page 27-49 • TACACS+ Primary Options and Fallback Options, page 27-49 • TACACS+ Command Authorization, page 27-50 • RADIUS Authorization, page 27-50 Authorization Overview Your switch supports TACACS+ and RADIUS authorization to control access to the switch. Authorization limits access to specified users using a dynamically applied access list (or user profile) based on the username and password pair. The access list resides on the host running the TACACS+ or RADIUS server. The server responds to the user password information and applies the access list. Authorization Events You can enable TACACS+ authorization for the following: • Commands-When the authorization feature is enabled for commands, the user must supply a valid username and password pair to execute certain commands. You can require authorization for all commands or for configuration (enable mode) commands only. When a user enters a command, the authorization server receives the command and user information and compares it against an access list. If the user is authorized to enter that command, the command is executed; otherwise, the command is not executed. • EXEC mode (normal login)-When the authorization feature is enabled for EXEC mode, the user must supply a valid username and password pair to access the EXEC mode. Authorization is required only if you have enabled the authorization feature. • Enable mode (privileged login)-When the authorization feature is enabled for enable mode, the user must supply a valid username and password pair to access enable mode. Authorization is required only if you have enabled the authorization feature for enable mode. TACACS+ Primary Options and Fallback Options You can specify the primary option and fallback option used in the authorization process. The following options and fallback options are available: • tacacs+-If you have been authenticated, and there is no response from the TACACS+ server, authorization succeeds immediately. • if-authenticated-If you have been authenticated, and there is no response from the TACACS+ server, authorization succeeds immediately. • none-Authorization succeeds if the TACACS+ server does not respond. • deny-Authorization fails if the TACACS+ server fails to respond. Deny is a fallback option only. This is the default behavior. 78-12647-02 Software Configuration Guide-Catalyst 4000 Family, Catalyst 2948G, Catalyst 2980G, Releases 6.3 and 6.4 27-49