AAA authorization lets you control the network services available to each user and helps restrict access to internal networks. Authorization also lets you specify which Cisco IOS commands a user can issue on specific network devices. It also lets mobile users connect to the closest local connection and still have the same access privileges they would have if they were directly connected to their local networks.
You can configure the network access server to control user access to the network so that users can perform only certain functions after successful authentication, such as controlling EXEC access. As with authentication, authorization can be used with either a local security database on the network access server or a remote security database, as shown in Figure 4-9. The figure also gives an example of authentication controlling network services, Cisco IOS command access, and access to specific networks. The remote security database can cause access lists configured in the network access server to be applied to the authenticated user.
Figure 4-9 Authorization Controls User Access to Networks and Network Services
Authorization works by assembling a set of attributes describing what a user is authorized to perform. The attributes are configured in either a local security database on the network access server or a remote security database. When the user wants to gain remote access to a system, the network access server determines and enforces the user's capabilities and restrictions by gathering authentication information from the database.
Authorization can be configured to run for all network-related service requests including IP, IPX, SLIP, PPP, Telnet, and ARAP. It can also be configured to determine whether the user is allowed to run an EXEC shell in a network access server and to specify permitted commands and EXEC privilege levels. Authorization can also be configured to control or restrict access to hosts on the network by using dynamically assigned access lists.
Cisco network access servers are configured to perform authorization by using the aaa authorization commands, which are covered in Chapters 5 and 6. CiscoSecure can also be configured to perform authorization tasks with network access servers. The group and per-user security policies determine how authorization is configured.