aaa authorization commands default
Syntax
aaa authorization commands default {none | group <GROUP-LIST>}
no aaa authorization commands default
Description
Defines authorization as being local RBAC (with the name
none
). Or defines a sequence of remote AAA servers to be interrogated for authorization purposes.
The
no
form of this command removes any defined remote AAA server authorization sequence, returning the switch to local RBAC authorization only.
Command context
config
Parameters
local
Selects local RBAC authorization.
group <GROUP-LIST>
Specifies the list of remote AAA server group names. Predefined remote AAA group name
tacacs
is available. User-defined TACACS+ server group names may also be used.It is recommended to always include the special name
none
as the last name in the group list. Ifnone
is omitted, and no remote AAA server is reachable, authorization will not be possible.
Authority
Administrators
Usage
The remote AAA servers are accessed in the order that the group names are listed in this command. The servers within the groups are accessed in the order in which they are added to the group. Authorization is attempted only on the first reachable server.
TACACS+ server authorization considerations
Use caution when configuring authorization, as it has no fail through. If the switch is not configured properly, the switch might get into an unusable state in which all command execution is prohibited.
Make sure that all listed TACACS+ servers can authorize users for command execution.
Make sure that credential database changes are promptly synchronized across all TACACS+ servers.
Make sure
none
is included as the last name in the group list. Ifnone
is omitted, and no remote AAA server is reachable, authorization will not be possible.Although not recommended, if you choose to omit
none
from the list, and are manipulating configuration files, special caution is necessary. If the source configuration includestacacs
authorization and you are copying configuration from an existing switch into the running configuration of a new switch, and you have not yet configured the interface or routing information to reach the AAA server, the switch will enter an unusable state, requiring hard reboot.To avoid getting into this situation that can occur whennone
has been omitted, do either of the following:In the configuration source, delete or comment-out the line configuring authorization. Then, after the configuration copy and paste, manually configure authorization.
Move the line configuring the authorization to the end of the source configuration before copying and pasting.
Examples
Defining an authorization sequence based on a user-defined TACACS+ server group, then the default TACACS+ server group, and finally (if needed), local RBAC authorization:
switch(config)# aaa authorization commands default group tacacs_user1 tacacs none
Enabling local RBAC authorization:
switch(config)# aaa authorization commands default none