The 7705 SAR supports local, RADIUS, and TACACS+ authorization to control the actions of specific users by applying a profile based on username and password configurations after network access is granted. The profiles are configured locally as well as on the RADIUS server as VSAs. See Vendor-Specific Attributes (VSAs).
After a user has been authenticated using RADIUS (or another method), the 7705 SAR router can be configured to perform authorization. The RADIUS server can be used to:
download the user profile to the 7705 SAR router
send the profile name that the node should apply to the 7705 SAR router
Profiles consist of a suite of commands that the user is allowed or not allowed to execute. When a user issues a command, the authorization server looks at the command and the user information and compares it with the commands in the profile. If the user is authorized to issue the command, the command is executed. If the user is not authorized to issue the command, then the command is not executed.
Profiles must be created on each 7705 SAR router and should be identical for consistent results. If the profile is not present, then access is denied.
Table: Supported Authorization Configurations displays the following scenarios.
If the user is authenticated locally (on the 7705 SAR router), local authorization is supported and remote (RADIUS) authorization cannot be performed.
If the user is authenticated by the RADIUS server, both local authorization and remote (RADIUS) authorization are supported.
If the user is TACACS+ authenticated, local authorization is supported and remote (RADIUS) authorization cannot be performed.
When authorization is configured and profiles are downloaded to the router from the RADIUS server, the profiles are considered temporary configurations and are not saved when the user session terminates.
User |
Local Authorization |
RADIUS Authorization |
|---|---|---|
7705 SAR configured user |
Supported |
Not Supported |
RADIUS server configured user |
Supported |
Supported |
TACACS+ server configured user |
Supported |
Not Supported |
When using authorization, maintaining a user database on the router is not required. Usernames can be configured on the RADIUS server. Usernames and their associated passwords are temporary and are not saved in the configuration database when the user session terminates.