Cisco Cisco 5760 Wireless LAN Controller Referências técnicas
• If-Authenticated — The user is allowed to access the requested function provided the user has been
authenticated successfully.
• Local— The router or access server consults its local database, as defined by the username command,
to authorize specific rights for users. Only a limited set of functions can be controlled through the local
database.
database.
• None — The network access server does not request authorization information; authorization is not
performed over this line or interface.
• RADIUS —The network access server requests authorization information from the RADIUS security
server group. RADIUS authorization defines specific rights for users by associating attributes, which
are stored in a database on the RADIUS server, with the appropriate user.
are stored in a database on the RADIUS server, with the appropriate user.
• TACACS+ — The network access server exchanges authorization information with the TACACS+
security daemon. TACACS+ authorization defines specific rights for users by associating attribute-value
(AV) pairs, which are stored in a database on the TACACS+ security server, with the appropriate user.
(AV) pairs, which are stored in a database on the TACACS+ security server, with the appropriate user.
Method lists are specific to the type of authorization being requested. AAA supports five different types of
authorization:
authorization:
• Commands — Applies to the EXEC mode commands a user issues. Command authorization attempts
authorization for all EXEC mode commands, including global configuration commands, associated with
a specific privilege level.
a specific privilege level.
• EXEC — Applies to the attributes associated with a user EXEC terminal session.
• Network — Applies to network connections. The network connections can include a PPP, SLIP, or ARA
connection.
You must configure the aaa authorization config-commands command to authorize
global configuration commands, including EXEC commands prepended by the do
command.
global configuration commands, including EXEC commands prepended by the do
command.
Note
• Reverse Access — Applies to reverse Telnet sessions.
• Configuration — Applies to the configuration downloaded from the AAA server.
When you create a named method list, you are defining a particular list of authorization methods for the
indicated authorization type.
indicated authorization type.
Once defined, the method lists must be applied to specific lines or interfaces before any of the defined methods
are performed.
are performed.
The authorization command causes a request packet containing a series of AV pairs to be sent to the RADIUS
or TACACS daemon as part of the authorization process. The daemon can do one of the following:
or TACACS daemon as part of the authorization process. The daemon can do one of the following:
• Accept the request as is.
• Make changes to the request.
• Refuse the request and authorization.
For a list of supported RADIUS attributes, see the module RADIUS Attributes. For a list of supported
TACACS+ AV pairs, see the module TACACS+ Attribute-Value Pairs.
TACACS+ AV pairs, see the module TACACS+ Attribute-Value Pairs.
Consolidated Platform Command Reference, Cisco IOS XE Release 3SE (Cisco WLC 5700 Series)
350
OL-29471-01
aaa authorization