background image
382 Chapter 12: Using AAA to Scale Access Control in an Expanding Network
·
exec--This argument uses the check-how? method for authorization to determine if the
user is allowed to create and run the router EXEC shell. If TACACS+ or RADIUS is being
used, it is possible that the database could return autocommand information, such as menu
system, to the user.
·
command level--This argument uses the check-how? method for authorization of all
commands at the specified privilege level. The level can be set to values of 1­15.
·
reverse-access--This argument uses the check-how? method for authorization of reverse
access connections such as reverse Telnet.
The check-how? arguments are the same as those used for authentication. check-how? simply
points to where the authentication should be done. The check-how? arguments can be any of
the following:
·
tacacs+
--
In this argument,
TACACS+ authorization is done by associating attribute-
value (AV) pairs to individual users. The AV pair associates a function that the user is
authorized to do. When a user attempts to do a do-what?, the TACACS database is
checked.
·
if-authenticated
--
In this argument,
if the user has been authenticated, he or she is
allowed to perform the function. Notice that we are not checking authorization, but
whether the user is in the database and is valid.
·
none
--
In this argument, the router does not request authorization information for the do-
what?. Authorization is not performed and a query is not sent to the database.
·
local
--
In this argument, the router or access server consults its local database, as defined
by the use of the username/password pairs that are configured in global configuration
mode on the router.
·
radius--In this argument,
RADIUS authorization is done by associating attributes to a
username on the RADIUS server. Each username and the associated attributes are stored
within the RADIUS database.
·
krb5-instance
--
In this argument, the router queries the Kerberos server for
authorization. The authorizations are stored on the Kerberos server.
In general, authorization can be implemented in many ways. The issue is finding which
database or resource that has the AV pair or attribute or map to provide the router with the
answer to the authorization query.
AAA Accounting
AAA accounting can supply information concerning user activity back to the database. This
concept was especially helpful in the early days of Internet service when many ISPs offered 20
or 40 hours per week at a fixed cost and hourly or minute charges in excess of the specified
timeframe. Today it is much more common for the ISP charge to be set for an unlimited access