aaa authorization exec

Determines the user privilege level when users are authenticated.

Syntax

aaa authorization exec default radius [ tacacs+ ] [ none ]
no aaa authorization exec default radius [ tacacs+ ] [ none ]
aaa authorization exec default tacacs+ [ radius ] [ none ]
no aaa authorization exec default tacacs+ [ radius ] [ none ]
aaa authorization exec default none
no aaa authorization exec default none

Command Default

AAA authorization is not configured.

Parameters

default
Configures the default named list.
radius
Configures RADIUS authorization.
tacacs+
Configures TACACS+ authorization.
none
Disables accounting.

Modes

Global configuration mode

Usage Guidelines

You can configure RADIUS, TACACS+, and None as authorization methods. If the configured primary authorization fails due to an error, the device tries the backup authorization methods in the order they are configured.

When TACACS+ EXEC authorization is performed, the Brocade device consults a TACACS+ server to determine the privilege level of the authenticated user. If the aaa authorization exec default tacacs+ command exists in the configuration, following successful authentication, the device assigns the user the privilege level specified by the foundry-privilege-level received from the TACACS+ server. If the aaa authorization exec default tacacs+ command does not exist in the configuration, then the value in the foundry-privilege-level attribute is ignored, and the user is granted Super User access. Also note that in order for the aaa authorization exec default tacacs+ command to work, either the aaa authentication enable default tacacs+ command, or the aaa authentication login privilege-mode command must also exist in the configuration.

When RADIUS EXEC authorization is performed, the Brocade device consults a RADIUS server to determine the privilege level of the authenticated user. If the aaa authorization exec default radius command exists in the configuration, following successful authentication, the device assigns the user the privilege level specified by the foundry-privilege-level attribute received from the RADIUS server. If the aaa authorization exec default radius command does not exist in the configuration, then the value in the foundry-privilege-level attribute is ignored, and the user is granted Super User access. Also note that in order for the aaa authorization exec default radius command to work, either the aaa authentication enable default radius command, or the aaa authentication login privilege-mode command must also exist in the configuration.

The no form of the command disables authorization.

Examples

The following example shows how to configure TACACS+ EXEC authorization.

device(config)# aaa authorization exec default tacacs+

The following example shows how to configure RADIUS EXEC authorization.

device(config)# aaa authorization exec default radius