Re: AAA

Hello Friends,

What i understand from your above mail is:

That means the below commands :

aaa authorization exec 123 local, aaa authorization commands 6 123 local,
aaa authorization configure-commands

will be only authorize when i will set a particular user to a particular
privilege level, when i apply authorization on a line vty,the users who are
telnetting and using a enable secret privilege level password of their
privilege and only those command will be authorize,

To verify the authorization commands i have to login by their privilege
level and i have to check for those command which they are not permitted.Am
i correct????

*Please correct me if i m wrong???????*

If suppose the users is violating his privilege level by typing unnecessary
commands for which he is not permitted how i can trace that,i hope i have to
do accounting for them,what are the show commands?????? that i can see the
users has violated certain commands for which he doesn't have permission.

Thanks

On Sun, May 23, 2010 at 9:09 PM, Paul Stewart <pestewart_at_gmail.com> wrote:

> You CANNOT do local command authorization. You CAN do local exec
> authorization. The difference is that with command authorization-user enters
> a command that their priv-lvl allows them access to. The command is sent to
> the TACACS+ server as an authorization request. If the associated user is
> granted access, author is permitted. If not, author fails.
>
> With exec authorization, we are assigning a priv-lvl to a users session.
> Commands can be moved between privilege level in order to meet requirements.
> Exec authorization can still be combined with command authorization to add
> granularity. In that case, only commands that are permitted by the priv-lvl
> will be sent to TACACS+ for command authorization.
>
>
>
>
> On May 23, 2010, at 10:02 AM, estela Mathew <estelamathew_at_gmail.com>
> wrote:
>
> Hello friends,
>>
>> I want to do authorization for a user locallly on the router i dont have a
>> TACACS OR RADIUS how i can achieve that.
>>
>> Suppose if i enable
>>
>> aaa authorization exec 123 local,
>>
>> line vty 0 4
>> authorization exec 123
>>
>> Which user will be authorized and what commands fall in *exec* which will
>> be
>> authorized???
>>
>> The same if i do with
>>
>> aaa authorization commands 6 123 local
>>
>> aaa authorization config-commands
>>
>> what i will achieve by the above commands?????????
>>
>> I have read the AAA user guide but no proper example for verification.
>>
>> Can anybody help me a good book to clear the concepts of AAA.

Blogs and organic groups at http://www.ccie.net
Received on Sun May 23 2010 - 23:32:24 ART