3.10.3 Authentication, Authorization, and Accounting Configuration

The authentication allows you to configure how a user is authenticated when he logs into the switch through one of the management client interfaces. Each one of the interfaces may have up to three authentication servers. In case the first authentication server is down, the second authentication server is accessed instead. The same applies to the third authentication server in case both the first and second authentication servers are down.

The authorization allows you to limit the CLI commands available to a user.

The accounting allows you to configure command and exec (login) accounting.

Command Syntax:

aaa authentication login { console | telnet | ssh | http } { { local | radius | tacacs } [ { local | radius | tacacs } [ { local | radius | tacacs } ] ] }

Table 3-42. Command Description
	Argument	Description
Parameter	N.A	N.A
Default	N.A
Mode	Global Configuration mode
Usage	Configure user authentication method for a specific management interface. To disable the interface, use the ‘no’ version of the command.
Example	Example 1: Configure SSH to authenticate first with the RADIUS Server. If it is down, then authenticate with the TACACS Server; if that is also down, then authenticate locally. `(config)#aaa authentication login ssh radius tacacs localconfig)# aaa authentication login ssh radius tacacs local` Example 2: Disable Telnet remote access. `(config)# no aaa authentication login telnet`

Command Syntax:

aaa authorization { console | telnet | ssh } tacacs commands <priv_lvl> [ config-commands ]

Table 3-43. Command Description
	Argument	Description
Parameter	`<priv_lvl>`	Privilege level. The level ranges from 0–15.
Default	N.A
Mode	Global Configuration mode
Usage	Configure authorization method for a specific management interface. To disable the authorization, use the ‘no’ version of the command.
Example	Example 1: Configure SSH client to use tacacs server for command authorization with priviledge level 15 and also authorize configuration commands. `(config)# aaa authorization ssh tacacs commands 15 config-commands` Example 2: Disable SSH command authorization remote access. `(config)# no aaa authorization ssh`

Command Syntax:

aaa accounting { console | telnet | ssh } tacacs { [ commands <priv_lvl> ] [ exec ] }

Table 3-44. Command Description
	Argument	Description
Parameter	`[commands <priv_lvl> ]`	All CLI commands equal and above the privilege level are accounted.
	`[ exec ]`	Only the remote user login/logout is reported.
Default	N.A
Mode	Global Configuration mode
Usage	Configure accounting method and reporting. To disable accounting, use the ‘no’ version of the command.
Example	Example 1: Configure accounting for ssh to report all CLI activity and any login/logout. `(config)# aaa accounting ssh tacacs commands 15 exec` Example 2: Disable accounting for Telnet. `(config)# no aaa accounting telnet`