allowed to do. This is done using the aaa authorization command. These restrictions can be
applied to activities or services offered on the router.
available. The syntax is quite simple and declares which activity or service (network, exec,
command level, config-commands, and reverse-access) is being attempted and which method
of authorization is to be used (local, none, radius, tacacs+, or krb5). Example 12-5
demonstrates the syntax for AAA authorization.
declared for the list called "myfolk". The third line declares that if one of the logged in users
wants to gain access to the EXEC mode, TACACS+ is contacted to see if the user is allowed to
perform that function.
authorization to run level 1 and level 15 commands; the router IOS commands are either level 1
or level 15 commands. It is possible to change the level of each command on the router to allow
for a more controlled access environment for the users.
administrators. In addition, this level of control can be unnecessary for most installations. As
an example of this overhead, consider a common scenario in which AAA is set up so that
subadministrators can have access to configuration mode, but with the ability to use only a
subset of the commands. Although possible, the configuration on the router to change the level
for each command can become less than productive.
network-related service requests, that is, SLIP, PPP, and ARAP protocol.
Router(config)#aaa authentication login myfolk tacacs+ local
Router(config)#aaa authorization exec tacacs+ local
Router(config)#aaa authorization command 1 tacacs+ local
Router(config)#aaa authorization command 15 tacacs+ local