There is no local command authorization

Shahid wrote me an e-mail asking about local command authorization. He would like to perform it within the AAA model, but while AAA local authorization works, it only allows you to specify user privilege level (and autocommand), not individual commands (like you can do on a TACACS+ server).

One of the reasons for this behavior is the difference between exec authorization (the authorization to start the interactive session, configured with aaa authorization exec) and command authorization (the authorization to execute a particular command, configured with aaa authorization commands). While the local method can be specified in the aaa authorization commands command, it’s essentially a no-op (it always succeeds). Using the local method in the aaa authorization commands is only meaningful if you want to provide a fallback mechanism where all commands are authorized if the router cannot contact a TACACS+ server.

You can use EEM applets, command privilege levels or parser views to limit the set of commands a user can execute on a router without using TACACS+ command authorization.

This article is part of You've asked for it series.

4 comments:

  1. So Ivan, there is no actual difference (besides the local auth function call) between
    "aaa authorization commands 1 default group TACACS-AAA-GROUP none" and
    "aaa authorization commands 1 default group TACACS-AAA-GROUP local"?

    ReplyDelete
  2. @Tassos: It looks that way to me.

    ReplyDelete
  3. Ibrahim Abo Zaid27 July, 2009 16:33

    as a comment for this , local autherization is used by if-authenticated feature to grant autherization for all commands if TACACS isn't reachbale after authentication

    ReplyDelete
  4. Hi Ivan/all

    I've tried the example above using the following commands
    R1
    "aaa authorization commands 1 default local".
    Now when I telneted from R2 to R1 which has the aaa commands and issue a privilege level 1 commands like "show clns, show aliases, show clock" it does not permit me to do so, instead it says
    "% Authorization failed."

    Do you think that it is the other way around? Instead of (always succeeds), it always fails!? Since local database like router has no way to authorize each individual commands (like tacacs+ do) or are there any?

    ReplyDelete

You don't have to log in to post a comment, but please do provide your real name/URL. Anonymous comments might get deleted.

Ivan Pepelnjak, CCIE#1354, is the chief technology advisor for NIL Data Communications. He has been designing and implementing large-scale data communications networks as well as teaching and writing books about advanced technologies since 1990. See his full profile, contact him or follow @ioshints on Twitter.