Configure the Authorization Function in the AAA Domain
After successful authentication, the authorization function of AAA can control the rights of administrator users for device resources and access for network resources, restrict administrators to execute unauthorized commands, and restrict access users to access unauthorized network resources.
Configuration Condition
When configuring the command line authorization in the domain, first configure the authorization of enabling the command line so that the configured command line authorization in the domain can take effect.
Configure the Authorization Method in the ISP Domain
When a user executes an authorization item in a specific ISP domain, AAA can authorize the user, grant the user certain authorities, and prohibit the unauthorized user to execute the authorization item in the domain.
Table 11-4 Configure the authorization method list in the ISP domain
Step
|
Command
|
Description
|
Enter the global configuration mode
|
configure terminal
|
-
|
Enter the ISP domain view
|
domain isp-name
|
Mandatory
By default, the system has one ISP domain named system.
|
Configure the default authorization method in the ISP domain
|
aaa authorization default { if-authenticated / local / none / radius-group group-name / tacacs-group group-name }
|
Optional
By default, the authorization method in the ISP domain is none.
|
Configure the commands authorization method in the ISP domain
|
aaa authorization commands cmd-lvl { if-authenticated / none / radius-group group-name / tacacs-group group-name }
|
Optional
By default, do not configure the commands authorization method in the ISP domain, and the authorization method in the domain is none.
The command authorization function must be enabled so that the configuration can take effect.
|
Configure the authorization method of the user logging into the device in the ISP domain
|
aaa authorization login { if-authenticated / local / none / radius-group group-name / tacacs-group group-name }
|
Optional
By default, do not configure the login authorization method in the ISP domain, but adopt the default authorization method in the domain.
|
-
The AAA authorization commands and aaa authorization config-commands commands are configured in no sequence.