aaa authorization

Required Command-Line Mode = Configure

Use the aaa authorization command to specify how externally logged-in users should be granted privileges on the GigaVUE‑OS node. You can map all external logins to a specific local account, use matching accounts in the local database, or reject external logins unless they have a matching account in the local database.

The aaa authorization command has the following syntax:

aaa authorization
   map
      default-user <<user> | admin | monitor | operator>
      order <<policy> | remote-only | remote-first | local-only>
   roles
      role <role name | Default> [description]

The following table describes the arguments for the aaa authorization command:

Argument

Description

map
default-user <<user> | admin | monitor | operator>

Specifies the account to which externally authenticated logins are mapped when map order is set to remote-first (if there is no matching local account) or local-only.

map
order <<policy> | remote-only | remote-first | local-only>

Specifies how externally authenticated logins (RADIUS, TACACS+, or LDAP) are mapped to local accounts, as follows:

remote-first—Maps externally authenticated logins in the following order:

a. Mapped to the matching local account name, if present.
b. If there is no matching local account, the local user mapping attribute provided by the AAA server is used.
c. If the local user mapping attribute is not present or does not specify a valid local user account, the account name specified by the map default-user argument is used.

This is the default.

remote-only—Maps externally authenticated logins in the following order:

a. Mapped to the matching local account name, if present.
b. If there is no matching local account, the local user mapping attribute provided by the AAA server is used.
c. If the local user mapping attribute is not present or does not specify a valid local user account, no further mapping is attempted.

local-only—Maps all externally authenticated logins to the user specified by the aaa authorization map default-user <user name> command.

 

role <role name | Default> [description]

Configures a role by name or Default and optionally adds a role description.

Related Commands

The following table summarizes other commands related to the aaa authorization command:

Task

Command

Displays general AAA settings.

# show aaa

Clears authorization user mapping default user settings.

(config) # no aaa authorization map default-user

Clears authorization user mapping order settings.

(config) # no aaa authorization map order

Deletes a role definition.

(config) # no aaa authorization roles role Default

Deletes a description from a role.

(config) # no aaa authorization roles role Default description