You CANNOT do local command authorization. You CAN do local exec
authorization. The difference is that with command authorization-user
enters a command that their priv-lvl allows them access to. The
command is sent to the TACACS+ server as an authorization request. If
the associated user is granted access, author is permitted. If not,
author fails.
With exec authorization, we are assigning a priv-lvl to a users
session. Commands can be moved between privilege level in order to
meet requirements. Exec authorization can still be combined with
command authorization to add granularity. In that case, only commands
that are permitted by the priv-lvl will be sent to TACACS+ for command
authorization.
On May 23, 2010, at 10:02 AM, estela Mathew <estelamathew_at_gmail.com>
wrote:
> Hello friends,
>
> I want to do authorization for a user locallly on the router i dont
> have a
> TACACS OR RADIUS how i can achieve that.
>
> Suppose if i enable
>
> aaa authorization exec 123 local,
>
> line vty 0 4
> authorization exec 123
>
> Which user will be authorized and what commands fall in *exec* which
> will be
> authorized???
>
> The same if i do with
>
> aaa authorization commands 6 123 local
>
> aaa authorization config-commands
>
> what i will achieve by the above commands?????????
>
> I have read the AAA user guide but no proper example for verification.
>
> Can anybody help me a good book to clear the concepts of AAA.
Blogs and organic groups at http://www.ccie.net
Received on Sun May 23 2010 - 13:09:25 ART
This archive was generated by hypermail 2.2.0 : Tue Jun 01 2010 - 07:09:53 ART