Enable Authorization Proxy (auth-proxy) for AAA

To configure AAA authorization to all proxy authentications, use the global configuration mode command aaa authorization to enable authorization and to create a method list, defining authorization methods that can be used when a user accesses the specified function.

In Chapter 3, you learned a method list is simply a list describing the authorization methods to be queried (such as RADIUS or TACACS+), in sequence. Method lists enable one or more security protocols to be used for authorization, thus ensuring a backup system if the initial method fails.

Use the auth-proxy option of the global configuration command aaa authorization to set parameters for proxy authentications. Use the no form of this command to disable AAA authentication proxy. The general syntax of the command is

Rtr1(config)#aaa authorization {authorization-type} {default | list-name} method1 [method2. . .]
Rtr1(config)#no aaa authorization {authorization-type}

The AAA authorization types include the following:

Rtr1(config)#aaa authorization {network | exec | commands level| reverse-access
| configuration | config-commands | auth-proxy | ipmobile}
{default | list-name} method1 [method2. . .]

The authorization proxy feature uses the auth-proxy keyword. Unlike other AAA authorization options, this one requires the keyword default, not allowing the creation of a named list. Also, this feature only allows three method options: group tacacas+, group radius, and group group-name. The actual syntax and choices include

Rtr1(config)#aaa authorization auth-proxy default method1 [method2. . .]

The proxy authentication feature only allows three method options: group tacacs+, group radius, and group group-name.

group tacacs+	Uses the list of all TACACS+ servers defined with the tacacs-server host command to provide authorization services. The servers are tried in sequential order from the top, first entered.
group radius	Uses the list of all RADIUS servers defined with the radius-server host command to provide authorization services. The servers are tried in sequential order from the top, first entered.
group group-name	Uses the list of specified TACACS+ or RADIUS servers defined with the aaa group server command to provide authorization services. The servers are tried in sequential order within the group from the top, first entered.

The following example uses TACACS+ servers for both login authentication and proxy authorization.

Rtr1(config)#aaa new-model 
Rtr1(config)#tacacs-server timeout 7
Rtr1(config)#tacacs-server key cisco-key
Rtr1(config)#tacacs-server host 192.168.1.4
Rtr1(config)#aaa authentication login default group tacacs+ local secret
Rtr1(config)#aaa authorization auth-proxy default group tacacs+

The following example uses RADIUS servers for both login authentication and proxy authorization.

Rtr1(config)#aaa new-model 
Rtr1(config)#radius-server timeout 7
Rtr1(config)#radius-server key cisco-key
Rtr1(config)#radius-server host 192.168.1.4
Rtr1(config)#aaa authentication login default group radius local secret
Rtr1(config)#aaa authorization auth-proxy default group radius

The following example uses the three TACACS+ servers used earlier and selects only two of them to be included in the server group.

Rtr1(config)#aaa new-model 
Rtr1(config)#tacacs-server timeout 7
Rtr1(config)#tacacs-server key cisco-key
Rtr1(config)#tacacs-server host tac-serv1
Rtr1(config)#tacacs-server host 192.168.1.4
Rtr1(config)#tacacs-server host 192.168.6.4 port 1500 timeout 3 key cisco9
Rtr1(config)#aaa group server tacacs+ tac-1
Rtr1(config-sg-tacacs+)#server tac-serv1
Rtr1(config-sg-tacacs+)#server 192.168.6.4
Rtr1(config)#aaa authentication login default group tac-1 local secret
Rtr1(config)#aaa authorization auth-proxy default group tac-1