Header
Home | Set as homepage | Add to favorites
  Search the Site     » Advanced Search
Sections
Syndication


Blogroll:

||||| ALL Cisco-Network ARTICLES |||||  
CCIE Journey,
The CCIE Journey,

Home : CCSP-Cisco Certified Security Professional : Enable Authorization Proxy (auth-proxy) for AAA

Enable Authorization Proxy (auth-proxy) for AAA

Sep 17,2009 by alperen

small font medium font large font
image

Enable Authorization Proxy (auth-proxy) for AAA

To configure AAA authorization to all proxy authentications, use the global configuration mode command aaa authorization to enable authorization and to create a method list, defining authorization methods that can be used when a user accesses the specified function.

In Chapter 3, you learned a method list is simply a list describing the authorization methods to be queried (such as RADIUS or TACACS+), in sequence. Method lists enable one or more security protocols to be used for authorization, thus ensuring a backup system if the initial method fails.

Use the auth-proxy option of the global configuration command aaa authorization to set parameters for proxy authentications. Use the no form of this command to disable AAA authentication proxy. The general syntax of the command is

Rtr1(config)#aaa authorization {authorization-type} {default | list-name} method1 [method2. . .]
Rtr1(config)#no aaa authorization {authorization-type}

The AAA authorization types include the following:

Rtr1(config)#aaa authorization {network | exec | commands level| reverse-access
| configuration | config-commands | auth-proxy | ipmobile}
 {default | list-name} method1 [method2. . .]

The authorization proxy feature uses the auth-proxy keyword. Unlike other AAA authorization options, this one requires the keyword default, not allowing the creation of a named list. Also, this feature only allows three method options: group tacacas+, group radius, and group group-name. The actual syntax and choices include

Rtr1(config)#aaa authorization auth-proxy default method1 [method2. . .]

The proxy authentication feature only allows three method options: group tacacs+, group radius, and group group-name.

group tacacs+

Uses the list of all TACACS+ servers defined with the tacacs-server host command to provide authorization services. The servers are tried in sequential order from the top, first entered.

group radius

Uses the list of all RADIUS servers defined with the radius-server host command to provide authorization services. The servers are tried in sequential order from the top, first entered.

group group-name

Uses the list of specified TACACS+ or RADIUS servers defined with the aaa group server command to provide authorization services. The servers are tried in sequential order within the group from the top, first entered.

The following example uses TACACS+ servers for both login authentication and proxy authorization.

Rtr1(config)#aaa new-model 
Rtr1(config)#tacacs-server timeout 7
Rtr1(config)#tacacs-server key cisco-key
Rtr1(config)#tacacs-server host 192.168.1.4
Rtr1(config)#aaa authentication login default group tacacs+ local secret
Rtr1(config)#aaa authorization auth-proxy default group tacacs+

The following example uses RADIUS servers for both login authentication and proxy authorization.

Rtr1(config)#aaa new-model 
Rtr1(config)#radius-server timeout 7
Rtr1(config)#radius-server key cisco-key
Rtr1(config)#radius-server host 192.168.1.4
Rtr1(config)#aaa authentication login default group radius local secret
Rtr1(config)#aaa authorization auth-proxy default group radius

The following example uses the three TACACS+ servers used earlier and selects only two of them to be included in the server group.

Rtr1(config)#aaa new-model 
Rtr1(config)#tacacs-server timeout 7
Rtr1(config)#tacacs-server key cisco-key
Rtr1(config)#tacacs-server host tac-serv1
Rtr1(config)#tacacs-server host 192.168.1.4
Rtr1(config)#tacacs-server host 192.168.6.4 port 1500 timeout 3 key cisco9
Rtr1(config)#aaa group server tacacs+ tac-1
Rtr1(config-sg-tacacs+)#server tac-serv1
Rtr1(config-sg-tacacs+)#server 192.168.6.4
Rtr1(config)#aaa authentication login default group tac-1 local secret
Rtr1(config)#aaa authorization auth-proxy default group tac-1

856 times read

Related news
» Activate Authentication Proxy Accounting
by alperen posted on Sep 17,2009
» Implementing Authorization Method Lists
by alperen posted on Jul 14,2009
» Define AAA Group Server (Optional)
by alperen posted on Sep 17,2009
» Implementing Authentication Method Lists
by alperen posted on Jul 14,2009
» Define the Authorization Method Lists
by alperen posted on Jul 14,2009
Did you enjoy this article?
1 2 3 4 5
(total 0 votes)

comment Comments (0 posted) 

More Top News
CCSP-Cisco Certified Security Professional
arrow Cisco SAFE Implementation
arrow Preparation Documents
arrow Exam Topics
arrow Skills Required for the Exam
arrow Cisco SAFE Implementation Questions and Answers
arrow Access Control Lists Cisco
arrow Access List Basics
arrow Standard Access Lists
arrow Verifying ACLs
arrow Extended Access Lists
arrow TCP Access Lists
arrow UDP Access Lists
arrow ICMP Access Lists
arrow Named Access Lists
arrow Signature and Alarm Management Review
arrow Signature and Alarm Management Review Questions and Answers
arrow Event Viewer
arrow Managing Alarms
arrow Event Viewer Customization
arrow Preference Settings
arrow Sensor Installation
arrow Connecting to Your Network Sensor Appliance
arrow Sensor Bootstrap
arrow Sensor Installation and Configuration Review
arrow Sensor Installation and Configuration Questions and Answers
arrow Signature and Alarm Management
arrow CIDS Signatures
arrow Signature Series
arrow Signature Implementations
arrow Signature Classes
arrow Signature Types
arrow Signature Severity
Most Popular
Most Commented
Featured Author

admin

image
<| Cisco Articles | Maximum Learning | All Cisco-Network Study Notes | Privacy Policy |>
If you think you own the material being used without permission, contact alperenmad[at]hotmail.com. material will be removed from the site.