Authorization

Authorization occurs after authentication takes place. After a user successfully has authenticated, you can restrict what services and commands the user has access to. This section discusses how authorization works and how to configure it.

NOTE

Note that authorization is optional. You need to configure authorization only if you want to have more control over what people do on your router after they have authenticated.


Methods of Authorization

As with authentication, AAA's authorization can be used to restrict access to certain things. With authentication, I focus only on two: user and privileged EXEC access. Authorization is used to determine what resources the user has access to on the router. With AAA's authorization, the Cisco IOS can be used to restrict the following services:

  • Authentication proxy? Authentication proxy is used to open temporary holes in your router/firewall after a user successfully has authenticated. How much access the user is given is defined on the security server. This process is discussed in Chapter 14.

  • Commands? You can restrict what commands a user can execute on the router. The "Authorization Configuration" section of this chapter focuses on this concept.

  • EXEC? You can restrict EXEC access to the router. At first, this sounds confusing, but this method is used in dialup situations in which the user was authenticated through PPP's PAP or CHAP. You can use the EXEC method to restrict the user's access to an EXEC prompt.

  • Network? After a user has authenticated and gained EXEC access to the router, he can establish PPP or SLIP connections on dialup links, if these exist on the router. With authorization, you can restrict the use of these network connections. Because this primarily occurs on a dialup server, and we are using a router as a perimeter router/firewall, I do not cover the configuration of this method.

  • Reverse Telnet? After authentication, you can restrict a user from performing reverse Telnets. These are typically done on routers set up as terminal servers, with the router emulating console connections to various devices. Again, because this is not typically done on a perimeter router/firewall, I do not cover the configuration of this method.

For a specific authorization command, you can list up to four methods in your method list that define how authorization should occur. For example, your first method could be to use a RADIUS server, and the second method could be to use the local username database. As with authentication, many authorization methods are available to you, as discussed next in the configuration section.

Authorization Configuration

To set up authorization, you first need to perform the following steps:

Step 1. Enable AAA with the aaa new-model command.

Step 2. If you are using an AAA security server, set up its connection with the tacacs-server and radius-server commands.

Step 3. Configure your authentication methods with the aaa authentication command(s).

When you have completed these three steps, you are ready to set up AAA authorization.

NOTE

Actually, before you set up command authorization, you need to set up your commands and their restrictions. I briefly discussed this in Chapter 3 for using the privilege command. However, in most instances, you will be doing this on your AAA server. The configuration of command authorization on an AAA server is beyond the scope of this book.


Executing Commands

If you are concerned about what commands are executed on your perimeter router/firewall, you can use AAA authorization to restrict what commands the user can execute. To set up command authorization, use the following configuration syntax:






Router(config)# aaa authorization commands level_#

  {default | list_name} [method1 [method2...]]

Router(config)# line [aux | console | tty | vty] start_line_# [end_line_#]

Router(config-line)# authorization commands level_#

  {default | list_name}


With the aaa authorization command, you can choose from many authorization methods. However, this chapter focuses on only one: commands that you can execute (commands). With the commands parameter, you must specify which command level (0?15) you want to set up authorization for. Following this, you specify what scope the authorization command has. With command authorization, you specify default or an authorization list name. A list name typically is given if you are setting up other types of authorization, such as a default one, and one for users accessing a specific line on the router. Following the default parameter is the list of authorization methods (how authorization should be performed). Table 5-3 lists the authorization parameters for your method list.

Table 5-3. AAA Authorization Methods

Method Keyword

Description

local

The username commands are used to perform authorization.

none

No authorization is performed. This parameter is typically not used.

group radius

All configured RADIUS servers can be used to perform authorization.

group tacacs+

All configured TACACS+ servers can be used to perform authorization.

group group_name

Only servers in the specified aaa group server command are used to perform authorization.


If you want to control on a per-line basis what does or does not get authorized, you can use the authorization command in line subconfiguration mode. For example, you might want to enforce authorization on commands for all remote users (VTY lines), but disable this function for an administrator accessing the router through the console port.

Executing Configuration Commands

When using the aaa authorization commands command, AAA is used to check whether a user can execute any command on a router in user and privileged EXEC mode, as well as configuration mode. This might cause problems in some cases, especially with global configuration mode, in which the same command appears at both global configuration mode and privileged EXEC mode. You can disable authorization for all configuration mode commands with the following command:






Router(config)# no aaa authorization config-commands


Authorization Troubleshooting

You use one basic command for troubleshooting AAA authorization problems: debug aaa authorization. Example 5-7 displays a sample of this command.

Example 5-7. Using the debug aaa authorization Command

Router# debug aaa authorization

2:23:21: AAA/AUTHOR (0): user='admin1'                            (1)

2:23:21: AAA/AUTHOR (0): send AV service=shell                    (2)

2:23:21: AAA/AUTHOR (0): send AV cmd*                             (3)

2:23:21: AAA/AUTHOR (342885561): Method=TACACS+                   (4)

2:23:21: AAA/AUTHOR/TAC+ (342885561): user=admin1                 (5)

2:23:21: AAA/AUTHOR/TAC+ (342885561): send AV service=shell

2:23:21: AAA/AUTHOR/TAC+ (342885561): send AV cmd*

2:23:21: AAA/AUTHOR (342885561): Post authorization status = FAIL (6)


The following is an explanation of Example 5-7. The numbers on the right side of Example 5-7 correspond to the numbers in the following list:

  1. The user, admin1, is attempting to do something that requires authorization.

  2. In this example, the user is attempting to gain an EXEC shell.

  3. The cmd parameter specifies a command that the user is trying to execute. If it lists *, this refers to plain EXEC access.

  4. The method used to authorize this access is TACACS+.

  5. The router sends the necessary information through TACACS+ to the security server.

  6. The security server verifies the authorization, determines that the user is not authorized to perform this function, and sends back a FAIL message.

Authorization Example

Now take a look at an example that uses authorization. I build upon Example 5-6 in the "Authentication Example" section. Here, I just list the authorization commands. In this example, I want to set up authorization for all privileged EXEC and configuration mode commands. Example 5-8 shows the configuration.

Example 5-8. Adding Authorization to the Example AAA Configuration

Router(config)# aaa authorization commands 15 default

  group aaatacgroup

Router(config)# aaa authorization commands 15 conauthor

  group aaatacgroup none

Router(config)# line console 0

Router(config-line)# authorization commands 15 conauthor


In this example, the first aaa authorization command defines a default method of authorization for all privileged EXEC and configuration mode commands; the AAA server group called aaatacgroup performs the authorization. If all the servers in the group are not reachable, the administrator's command on the router is denied. To allow an administrator to execute commands in an emergency situation, the second aaa authorization command specifies that the aaatacgroup server group should be used if the servers are reachable; if they are not reachable, no authorization is to be performed. This second command is assigned an authorization name of conauthor. Notice that there is a restriction with this command: It is activated only on the console interface. Therefore, if the AAA servers are not reachable, you still can manage the perimeter router through its console port.

CAUTION

When using authorization to determine whether a user can or cannot execute commands, you should be aware of this issue: Before the user is allowed to execute a command with AAA authorization and an external security server, the Cisco IOS sends the authorization request to the security server, the security server validates the authorization request, and the security server sends back a response. As an administrator trying to execute a command while this is going on, you will notice a slight delay during this process for each command that you execute.

Also, you will want to make sure that, in a worst-case situation, you can execute any command from the console port. Therefore, if you are using an external AAA server for authorization, make sure that you have a second method, such as local, listed (and possibly a third, none). If you are using none as a method and want extra protection, you might want to enable accounting to keep track of the commands that your administrators execute on your perimeter router.


TIP

In the previous example, I recommend configuring first the console authorization and then the default method, to prevent lockouts.