aaa authorization map order
Sets the order for remote-to-local user mappings for RADIUS or TACACS+ server authentication.
Syntax
[no] aaa authorization map order {remote-only |remote‑first |local-only}
Parameters
remote-only | Maps only to a remote authenticated user if the authentication server sends a local-user mapping attribute. If the attribute does not specify a valid local user, no further mapping is attempted. |
remote-first | If a local-user mapping attribute is returned and it is a valid local username, maps the authenticated user to the local user specified in the attribute. If the attribute is not present or not valid locally, uses the username specified by the default-user command. (This is the default behavior.) |
local-only | Maps all remote users to the user specified by the aaa authorization map default-user <username> command. Any vendor attributes received by an authentication server are ignored. |
Usage
The order determines how the remote user mapping behaves. If the authenticated username is valid locally, the appliance does not perform any mapping. To set TACACS+ authorization levels (admin and read-only) to allow certain members of a group to log in, add the following attribute to users on the TACACS+ server:
service = rbt-exec {
local-user-name = "monitor"
}
where you replace monitor with admin for write access.
To turn off general authentication in the appliance, enter the following command at the system prompt:
aaa authorization map order remote-only
The no command option disables authentication.
Example
amnesiac (config) # aaa authorization map order remote-only
Product
SCC, Interceptor, Mobile Controller, SteelHead CX, SteelHead EX, SteelHead-v, SteelHead-c
Related Commands