Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software
aaa authorization
SR-10
Cisco IOS XR System Security Command Reference
Use the aaa authorization command to create method lists defining specific authorization methods that
can be used on a per-line or per-interface basis. You can specify up to four methods in the method list.
Note The command authorization mentioned here applies to the one performed byan external AAA server and
not for task-based authorization.
Method lists for authorization define the ways authorization will be performedand the sequence in which
these methods will be performed. A method list is a named list describing the authorization methods to
be used (such as TACACS+), in sequence. Method lists enable you to designate one or more security
protocols to be used for authorization, thus ensuring a backup system in case the initial method fails.
Cisco IOS XR software uses the first method listed to authorize users for specific network services; if
that method fails to respond, Cisco IOS XR software selects the next method listed in the method list.
This process continues until there is successful communication with a listed authorization method or
until all methods defined have been exhausted.
Note Cisco IOS XR software attempts authorization with the next listed method only when there is no
response (not a failure) from the previous method. If authorization fails at any point in this
cycle—meaning that the security server or local username database responds by denying the user
services—the authorization process stops and no other authorization methods are attempted.
The Cisco IOS XR software supports the following methods for authorization:
• none—The router does not request authorization information; authorization is not performed over
this line or interface.
• local—Use local database for authorization.
• group tacacs+—Use the list of all configured TACACS+ servers for authorization.
• group radius—Use the list of all configured RADIUS servers for authorization.
• group group-name—Uses a named subset of TACACS+ or RADIUS servers for authorization.
Method lists are specific to the type of authorization being requested. The Cisco IOS XR software
supports three types of AAA authorization:
• Commands authorization: Applies to the EXEC mode commands a user issues. Command
authorization attempts authorization for all EXEC mode commands.
Note “Command” authorization is distinct from “task-based” authorization, which is based on the task profile
established during authentication.
• EXEC authorization: Applies authorization for starting an EXEC session.
• Network authorization: Applies authorization for network services, such as IKE.
When you create a named method list, you are defining a particular list of authorization methods for the
indicated authorization type. When defined, method lists must be applied to specific lines or interfaces
before any of the defined methods are performed.
Task ID Task ID Operations
aaa read, write