AAA Authorization named authorization list

Ladies and Gents,
Your help will be greatly appreciated – I am currently studying CCNP Switch AAA configuration and I work with a tacacs+ server at work butI having difficulty getting my head around the below
Cisco.com extract below
When you create a named method list, you are defining a particular list of authorization methods for the indicated authorization type.
Once defined, method lists must be applied to specific lines or interfaces before any of the defined methods will be performed. The only exception is the default method list (which is named "default"). If the aaa authorization command for a particular authorization type is issued without a named method list specified, the default method list is automatically applied to all interfaces or lines except those that have a named method list explicitly defined. (A defined method list overrides the default method list.) If no default method list is defined, local authorization takes place by default.
My question is how do you define the Named Method List i.e. the none-default method list?
I don't mean the cisco switch config but how the list is created, is this on the tacacs+ server and the referred to in the CLI?
Any help would be much appreciated as I have read over tons of documents and I can’t see how this is created
Thanks in advance
David

Hi David,
An example of a named AAA list might look something like this:
aaa authorization exec TacExec group AAASrv local
In the example above, I've created a AAA authorization list for controlling shell exec sessions called "TacExec", which will check the remote AAA servers in the group "AAASrv" first; if the device receives no response from the remote servers, it will then atempt to validate the credentials via the local user database. Please remember that a deny response from the AAA server is not the same as no reposonse, the device will only check the local user database if an only if it recieves nothing back from the TACACS query.
Of course, before you create this method list, you need to define the TACACS servers via the "tacacs-server" command, and then add those servers to the group via the "aaa group server" command.
Below is a cut and paste from the AAA section on one of my devices:
aaa new-model
ip tacacs source-interface
tacacs-server host 10.x.x.x key 7
tacacs-server host 10.x.x.y key 7
aaa group server tacacs+ TacSrvGrp
server 10.x.x.x
server 10.x.x.y
aaa authentication login default local
aaa authentication login TacLogin group TacSrvGrp local
aaa authorization console
aaa authorization config-commands
aaa authorization exec default local
aaa authorization exec TacAuth group TacSrvGrp local
aaa authorization commands 0 default local
aaa authorization commands 0 TacCommands0 group TacSrvGrp local
aaa authorization commands 1 default local
aaa authorization commands 1 TacCommands1 group TacSrvGrp local
aaa authorization commands 15 default local
aaa authorization commands 15 TacCommands15 group TacSrvGrp local
aaa accounting exec default start-stop group TacSrvGrp
aaa accounting commands 15 default start-stop group TacSrvGrp
aaa session-id common
Notice that for the various authentication and authorization parameters, there is a named method list as well as a default method list. As per Cisco's documentation, a aaa method list called default (that you explicitly define) will apply to all input methods (con, aux, vty, etc) unless you set a named method list on the particular input line (see below):
line con 0
exec-timeout 5 0
line aux 0
exec-timeout 5 0
line vty 0 4
exec-timeout 15 0
authorization commands 0 TacCommands0
authorization commands 1 TacCommands1
authorization commands 15 TacCommands15
authorization exec TacAuth
login authentication TacLogin
transport input ssh
For the console and aux inputs, I only ever want to use local credentials for AAA purposes (ie: If I have to connect on an out-of-band interface, something is potentially wrong with the network connectivity), however for the VTY lines (SSH sessions in this instance), I always want to use the TACACS servers first, with local user credentials as a fallback mechanism.
One thing you need to be VERY mindful of when configuring your devices for AAA is the order of the commands that are entered. It is a relatively simple matter to lock yourself out from the device management if you don't pay close attention to the specific order that the commands are entered. Typically, I will first do a "show user" just to find out which VTY line that I'm connected on, and when I assign the named AAA method lists to the VTY lines, I normally leave the line that I'm on at the default (local), then I open a second session to the device, authenticate using my TACACS credentials, and complete the config on the remaining VTY line.
Keep in mind that there are some other parameters that you can define at the tacacs-server level (timeout value is a good one to look at) which you can use to enhance the AAA performance somewhat.
Hope this helps!

Similar Messages

  • AAA issue ( command authorization failed)

    I am getting the issue, and following is the script , cannot find  and locate the cause of error !
    version 12.2
    no service pad
    service timestamps debug datetime msec
    service timestamps log datetime msec
    service password-encryption
    hostname hexxor
    boot-start-marker
    boot-end-marker
    enable secret 5 $1$Y.Nt$aZ9/2rl2DMbEnSGJVqmln1
    enable password 7 0525112F05411F075231123E
    username hexxor password 7 024D2A103F26243363593D1C2B5C
    aaa new-model
    aaa authentication login T-AUTH group tacacs+ local
    aaa authorization console
    aaa authorization config-commands
    aaa authorization exec T-AUTHOR group tacacs+ if-authenticated
    aaa authorization commands 15 T-AUTHOR group tacacs+ if-authenticated
    aaa accounting exec T-ACC start-stop group tacacs+
    aaa accounting commands 15 T-ACC start-stop group tacacs+
    interface Vlan1
    no ip address
    interface Vlan50
    ip address 128.1.50.54 255.255.255.0
    no ip route-cache
    ip default-gateway 128.1.50.254
    no ip http server
    ip http secure-server
    ip sla enable reaction-alerts
    logging trap debugging
    logging 10.241.40.20
    logging 128.1.50.245
    access-list 1 permit 128.1.50.245
    snmp-server host 10.241.40.27 Armageddon
    snmp-server host 128.1.50.245 Armageddon
    tacacs-server host 10.241.40.22
    tacacs-server host 10.241.40.23
    tacacs-server directed-request
    tacacs-server key 7 020813480E052F2E4D
    line con 0
    exec-timeout 5 0
    password 7 1142374E2332201E2B3D1F210678
    authorization commands 15 T-AUTHOR
    authorization exec T-AUTHOR
    accounting commands 15 T-ACC
    accounting exec T-ACC
    login authentication T-AUTH
    transport preferred none
    line vty 0 4
    exec-timeout 5 0
    password 7 06281801684358174E231727
    authorization commands 15 T-AUTHOR
    authorization exec T-AUTHOR
    accounting commands 15 T-ACC
    accounting exec T-ACC
    login authentication T-AUTH
    transport input telnet
    transport output telnet
    line vty 5 15
    password 7 0228137B2F0B5E2F077A0C35
    end

    Based on what I think I understand in this reply it appears that the problem is caused in the named authorization method of T-AUTHOR. This named method sends an authorization request to the TACACS server. So it appears that the TACACS server is not authorizing the commands that you enter.
    I would suggest this as a first test:
    - login to the device.
    - go into enabl mode.
    - attempt the show run command. (I assume that it will fail)
    - check on the TACACS server. look in the logs for indications of how it processed the request and why it did not authorize it.
    If you want to do a second test to verify the cause of the problem then I would suggest this:
    - remove from the config these lines
    aaa authorization exec T-AUTHOR group tacacs+ if-authenticated
    aaa authorization commands 15 T-AUTHOR group tacacs+ if-authenticated
    then login to the device, go into enable mode, attempt the show run command
    Try one or both of these tests and post back to tell us of the results.
    HTH
    Rick

  • Configuring aaa local command authorization

    i am a bit struggling with how to configure aaa local command authorization, i am not getting any material also for configuring it. Please tell me how to configure aaa local command authorization.. or possible give me some useful links for that..

    Hi,
    For aaa authorization command set.Kindly refer to link.
    http://www.cisco.com/en/US/products/sw/iosswrel/ps1828/products_command_reference_chapter09186a00800ca5d4.html
    I hope this help.Please rate this post.
    cheers
    Sachin

  • HT1386 my computer is not synching to my ipod. I plug in my usb it says synching it then asks for my id and password. i enter it and it asks to either authorize, dont authorize or cancel. I click authorize and it saysmy computer is already authorized . sa

    my ipod is not synching. i plug in usb cable and it asks for id and password. i enter these and it then asks if i want to authorize, dont authorize or cancel. I click autorize it says synching ipod. then comes up that this computer is 2 of 5 that is authorized. However it is not updating any new playlists or purchasded material. I dont want to click dont authorize as I'm afraid I will lose music

    Delete them from your library including files, the go to the iTunes Store and select "Purchased" from the Quick Links side bar on the right. Go through all the tabs to download again for free

  • Where we check the authorization group & authorization object?

    Hi all,
    i have a  std program & tcode  like fb03 . now i want to know the authorization group & authorization object. so where we will check..?
    help me.
    thanks.
    Vipin

    Hi,
    Use transaction SU21 & SU22 for Auth Objects & Class

  • Convert named access list to line numbers

    I printed out a document months ago which has since then disappeared into my mountains of paperwork. Somewhere in that document listed a command that converted an extended, named access list to one with line numbers. I even recall that you could input the line interval into the conversion process (so lines would be 5,10,15 etc or 10,20,30 etc).
    I just upgraded a 6509, and I'm ready to put line numbers in my access list, and can't find the command - a new Cisco search is coming up empty. Can anyone recall what the command is?? Again, it's for converting an existing access-list with no line numbers to one with line numbers.
    Thank you!

    Hi Emily,
    I guess this is what you are looking for. I have not tried it my self but would like to test it out.
    1. enable
    2. configure terminal
    3. ip access-list resequence access-list-name starting-sequence-number increment
    4. ip access-list {standard | extended} access-list-name
    5. sequence-number permit source source-wildcard
    or
    sequence-number permit protocol source source-wildcard destination destination-wildcard [precedence precedence] [tos tos] [log] [time-range time-range-name] [fragments]
    6. sequence-number deny source source-wildcard
    or
    sequence-number deny protocol source source-wildcard destination destination-wildcard [precedence precedence] [tos tos] [log] [time-range time-range-name] [fragments]
    7. Repeat Step 5 and/or Step 6 as necessary, adding statements by sequence number where you planned. Use the no sequence-number command to delete an entry.
    8. end
    9. show ip access-lists access-list-name
    This link should help :
    http://www.cisco.com/en/US/products/sw/iosswrel/ps1838/products_feature_guide09186a0080134a60.html
    regards,
    -amit singh

  • ASDM versus CLI - named access-list etc

    I'm a CLI junkie now using ASDM v5.2(3) on ASA55x0. Where are the named access-lists I'm used to working with in PIX 6.3(x) CLI? I want to continue to create my named access-lists so I and my colleagues can continue to use our standard templates for configuration tasks. I'm not interested in the ones created automatically such as "access-list in_out-back_forth-UpDown-interfaceSomeWhere0.1". These only confuse my staff when trynig to complete config tasks.

    Adam - yes you are correct - strange that they have to be accessed via Split Tunnel Network List, but so be it. I can now create a named ACL with our standardized names, but how do I reference it by name later when applying to some policy?
    Typically one might have:
    access-list AllowInbound
    permit icmp any interface outside echo-reply
    permit icmp any interface outside unreachable
    permit icmp any interface outside time-exceeded
    access-group AllowInbound in interface outside
    Thx - Phil

  • Cant use named access list

    have have tried on 2 routers. 1803, and 2600 to use named access list, by typing access-list "extended" name, it will nto let me type this in, is there any reason why it wont let me do this ?

    Carl,
    The command is
    (config)#ip access-list extended [word]

  • Authorization to save lists in local files

    Hi,
    How to authorize a user to download (with the right click menu or Shift + F8) to save list in local file ?
    Thank in advance
    Best regards

    hm.
    try object:
    S_DATASET
    with values
    PROGRAM=SAPLSWT1
    ACTVT=34
    FILENAME=*
    Edited by: Mylene Euridice Dorias on Sep 30, 2009 1:36 PM
    when trying to download to Excel, an additional object occured: S_GUI with activity 04, 60 and 61

  • AAA authentication and authorization question

    Hi Everyone,
    I have a situation that is driving me crazy.
    I am using Cisco Freeware TACACS running on RedHat
    Enterprise Linux 3. I've modified the source code
    so that I can assign each individual users his/her
    own enable password. So far so good.
    I create two groups: group_A and group_S. group_A
    is for advanced users and group_S is for super
    users. Users that belong to group_A can have
    privilege level 15 but there are certain commands
    that they can not perform such as "write mem"
    or "reload". users that belong to group_S can do
    EVERYTHING.
    Here is my configuration on the TACACS configuration
    file:
    user = xyz {
    member = admin
    name = "User X"
    login = des 6.z8oIm9UGHo
    user = $xyz$ {
    member = admin
    name = "User X"
    login = des c2bUC43cmsac.
    user = abc {
    member = advanced
    name = "User abc"
    login = cleartext "cisco123"
    user = $abc$ {
    member = advanced
    name = "User abc"
    login = cleartext "cisco123"
    group = advanced {
    default service = deny
    cmd = show { permit .* }
    cmd = copy { permit flash }
    cmd = copy { permit running }
    cmd = ping { permit .* }
    cmd = configure { permit .* }
    cmd = enable { permit .* }
    cmd = disable { permit .* }
    cmd = telnet { permit .* }
    cmd = disconnect { permit .* }
    cmd = where { permit .* }
    cmd = set { permit .* }
    cmd = clear { permit line }
    cmd = exit { permit .* }
    group = admin {
    default service = permit
    configuration of the router:
    aaa new-model
    aaa authentication login notac none
    aaa authentication login VTY group tacacs+ local
    aaa authentication login web local enable
    aaa authentication enable default group tacacs+ enable
    aaa authorization exec notac none
    aaa authorization exec VTY group tacacs+ if-authenticated none
    aaa authorization commands 0 VTY group tacacs+ if-authenticated none
    aaa authorization commands 1 VTY group tacacs+ if-authenticated none
    aaa authorization commands 15 VTY group tacacs+ if-authenticated none
    aaa authorization network VTY group tacacs+ if-authenticated none
    aaa accounting exec TAC start-stop group tacacs+
    aaa accounting exec VTY start-stop group tacacs+
    aaa accounting commands 0 TAC start-stop group tacacs+
    aaa accounting commands 0 VTY start-stop group tacacs+
    aaa accounting commands 1 TAC start-stop group tacacs+
    aaa accounting commands 1 VTY start-stop group tacacs+
    aaa accounting commands 10 TAC start-stop group tacacs+
    aaa accounting commands 15 TAC start-stop group tacacs+
    aaa accounting commands 15 VTY start-stop group tacacs+
    aaa accounting network VTY start-stop group tacacs+
    aaa session-id common
    line vty 0 15
    exec-timeout 0 0
    authorization commands 0 VTY
    authorization commands 1 VTY
    authorization commands 15 VTY
    authorization exec VTY
    accounting commands 0 VTY
    accounting commands 1 VTY
    accounting commands 15 VTY
    accounting exec VTY
    login authentication VTY
    However, what I would like to do is to assign users
    in group_A the ability to go into "configuration t"
    but I do NOT want them to have the ability to peform
    "no tacacs-server host x.x.x.x key cisco". Furthermore,
    I would like to do everything via TACACS, I don't
    want configure "privilege level" on the router itself.
    Is that possible? Thanks.
    David

    Command Authorization Sets?Command authorization sets provide a centralized mechanism to manage TACACS+ administrative control. Driven by some of the largest enterprise and service provider networks that use Cisco Secure ACS, command authorization sets provide a method to group and name device command profiles that can be paired with users, groups of users, or network device groups. A key benefit of command authorization sets is the ability to remove any requirement of individual privilege level or command restrictions on each AAA client. This feature greatly enhances the scalability and manageability of setting device command authorization restrictions for network administrators.
    http://www.cisco.com/en/US/products/sw/secursw/ps2086/prod_release_note09186a00800ada4c.html

  • Delete authorization for distribution list

    Hi,
    In our system all the distribution lists suddenly deleted and it was in the shared trash folder.
    so we retrived from the folder.
    To restrict the delete authorization of users for distribution lists  in the object S_OC_ROLE field OFFADMI ' Administrator' has been changed to ' '. But they were not able to create the the distribution list in the shared folder. they are able to create only in their private folder.
    Is there any way to restrict the delete authorization alone.
    Thanks,
    Suganya

    Hi Stef,
    Please try to add this authorisation object manually F_BKPF_BUK- Authorisation object for company code.
    In the filed BUKRS you can maintain the company code as you required for the users.
    I hope this may help you in resolving the issue.
    Thanks
    Karthick

  • Authorization relevant objects list

    Hello BI experts,
    I need to find out the Authorization relavant infobjects in the system. How can i do it. Is there a table where i can find this data or any transactin
    Thanks in advance
    BWer

    hi BWER,
       You want to see the authorisation relevent objects for perticuler system right.
    1. Go to RSSM tr code
    2.click the radio button Authorizations for several users there u have to enter ur lon-in Id name
    3.right hand side 1 spects symbol is there for disply-- click on it.
    It will show u all authorisation Infoobjects for u.
    Thanks & Regards,
    kiran

  • Customizing  authorization in task list

    I have some issue to configure the task list (tx SCMA) because the system landscape is maintained by two different administrator teams ( one for dev and qualification system and another for the production )
    Iu2019d like to have two different view on the same task list : one have access to all system and the other one with the production system only
    Is it possible ?

    It looks like the fields Project Manager and Approver Manager are Person type fields. These fields are not listed in List validation column settings. An alternative for you is to override SharePoint JavaScript function "PreSaveAction". You can
    use JavaScript code to comapre the values in these two fields and perform validation.
    Blog | SharePoint Learnings CodePlex Tools |
    Export Version History To Excel |
    Autocomplete Lookup Field

  • HR Authorization : Custom Authorization Object  for P_ORGIN

    Hi,
    I have created a Custom Authorization Object for HR named Z_ORIGIN (it has Personnel Subarea field BTRTL besides what's there in Auth. Object P_ORIGIN) and made it Check/Maintain for transaction PA30 in SU24.
    I can see the entries in the USOBT_C & USOBX_C tables for this object, I am also able to add this object in the roles as well.
    Everything looks fine, but when I execute the transaction the object Z_ORIGIN is never checked (for a user having this object in his/her User Master). Only P_ORIGIN object is checked instead.
    We've ran the report RPUACG00 also which is mentioned in this thread.
    We also coded the authority check code in the both user exit ZXPADU01 and ZXPADU02 for PA infotype operations
    but still it is taking the P_ORGIN object

    Online Help
    <a href="http://help.sap.com/saphelp_erp2005vp/helpdata/en/d9/64141c0774194593da29f3cb813f1b/frameset.htm">P_NNNNNCON (HR Master Data: Customer-Specific Authorization Object with Context)</a>

  • PDF files open blank; EPUB work OK; Authorize Computer & Authorization Info. do nothing

    Running ADE 2.0.1.78765 on Windows 7 Pro ...
    I can download ePUB and PDF files from my university library just fine;EPUB books workin just fine,  but the PDF files are completely blank EXCEPT for the contents list.
    The files are, by their size, clearly not blank ... there must be some security feature stopping me from reading them.
    Also, when I click Authorize Computer or Authorization Info. nothing happens.
    Same as when I press Ctrl+Shift+U or Ctrl+Shift+I.
    Help!!!

    Thanks for those tips.
    I have downloaded and installed the latest version and chosen to 'authorize' an Adobe ID.
    Behaviour remains the same. The ePUB version of the book downloads and works just fine; the PDF downloads and is blank aside from the contents pane.
    The reason I want the PDF to work is because it is paginated as per the hard copy book; the ePUB's pagination is variable and so useless for referencing.
    I see a lot of people have similar issues, invariably unsolved, so yet another pothole on the great Information Super Highway! Sigh.

Maybe you are looking for

  • Unable to populate the G/L account text ( description ) in drill down repor

    Hi We have developed the trial balance drill down report from FAGLFLEXT table under 0FL library for company code wise. The charecters are period,fiscal year  & Version and the key figures are HSL ( GLT0 table ). We are getting only the GL account num

  • Undo the "Erase iPhone" action in Find My iPhone

    My iPhone was stolen. Without even thinking about it I went to my computer, logged in to icloud.com and clicked to erase my iPhone in Find My iPhone. The service couldn't locate it because it was offline and it still is. But then I read that once my

  • Pdf import: making bkg NOT transparent

    I'm trying to place pdf pages in Keynote and parts of them are coming up transparent (most were created in Quark or Illustrator). Is there a way in Keynote to set the bkg color to white for the placed graphic? I know we can paste a white block or pag

  • Macbook Pro 2010 froze, now won't boot.

    Hey all, I have a Macbook Pro that i got in 2010.  It has been a great machine.  I have done a couple of upgrades on the ram and hard drive. For a while there were not any problems.  But last week my computer froze up, app by app, till the whole comp

  • SMART FORM FOR SU PRINTING

    hI FRIENDS,   i HAVE TO CREATE ONE SMART FORM WITH DRIVER PROGRAM FOR s (sTORAGE UNIT ) . CAN YOU HELP ME TO KNOW WHAT IS THE TCODE , OUTPUT TYPE, APPLICATION FOR THE sU PRINT ? pLEASE INFORM ME THE MASTER TABLES FOR sUAS WELL . tHANKS IN ADVANCE .