Chinaunix首页 | 论坛 | 博客
  • 博客访问: 19290347
  • 博文数量: 7460
  • 博客积分: 10434
  • 博客等级: 上将
  • 技术积分: 78178
  • 用 户 组: 普通用户
  • 注册时间: 2008-03-02 22:54
文章分类

全部博文(7460)

文章存档

2011年(1)

2009年(669)

2008年(6790)

分类: 系统运维

2008-05-21 17:04:26

authorization
AAA authorization enable you to limit the services to a user.
named method list (命名方法列表)for a authorization.
method lists for authorization define the way authorization wi ll be performed
and sequence in which these method will be perform.
method lists are specific to the authorization type(认证类型) requested:
auth-proxy->应用指定的安全策略,基于每用户。
commands->应用到exec模式命令给user执行,commands 授权attempts authorization for all  exec mode command,including 全局,associated with a specific privilege level.
exec-->应用到与用户terminal session联系的属性。
network->应用到network connection,包括ppp,slip,或arap连接。
reverse access-->应用到反向telnet会话。
当你要creat一个named method list 你是在定义详细的authorization list给指定的授权类型:
tacacs+ ,用塔克斯给其授权。
if-authenticated-->如果user验证通过了,那么它即被授权了。
none-->无需授权。
local-->用定义了的username授权。
radius-->radius给其授权。
1. aaa authorization {auth-proxy | network |exec | command level |reverse-access |
   configuration | ip moblie} {default|list-name} [method1[method2...]
//建立一个授权method list给一个paticular授权type and enable 授权。
line [aux|console|tty|vty] 线号 [ending线号]

int 接口代号
//进入你想应用授权method list的line或接口。
3.authorization {arap | command level |exec|reverse-access} {default|list-name}

ppp authorization {default|list-name}
应用authorization list 到line或接口。

关授权:
config)#no aaa authorization config-commands
给反向telnet授权:
aaa authorization reverse-access method1 [method2...]

Named Method List Configuration Example,配置举例:
在一台as5300上配的,由radius服务器提供的aaa,如果radius server fail了,没有响应那么本地数据库将会被查询用来验证和授权信息,记账将被一台tacacs+server处理。
aaa new-model
aaa authentication login admins local
aaa authentication ppp dialins group radius local
aaa authorization network scoobee group radius local
aaa accouting network charley start-stop group radius

user root password alongpassword

radius-server host alcattaz
radius-server key myradiuspassword

int group async 1
group-range 1 16
enca ppp
ppp authentication chap dialins
ppp authorization scoobee
ppp accouting charley

lint 1 16
autoselect ppp
autoselect during-login
login authentication admins
medem dialin

这里用了authorization method list 叫 scoobee,和认证method list dialins。
记账用了method list 叫charley。
 autoselect ppp command configures the Cisco IOS software to allow a PPP session to

start up automatically on these selected lines,跟选line有关,让ppp自己选。

The following example shows how to allow network authorization using TACACS+:

aaa authorization network default group tacacs+

The following example shows how to provide the same authorization, but it also

creates address pools called "mci" and "att":

aaa authorization network default group tacacs+
ip address-pool local
ip local-pool mci 172.16.0.1 172.16.0.255
ip local-pool att 172.17.0.1 172.17.0.255

radius 授权例子:
aaa new-model
aaa authorization exec default group radius if-authenticated
aaa authorization network defualt group radius
radius-server host ip
radius-server key

阅读(1137) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~