Reference Guide
Security | 725
RADIUS exec-authorization stores a user-shell profile and that is applied during user login. You may name
the relevant named-lists with either a unique name or the default name. When authorization is enabled by
the RADIUS server, the server returns the following information to the client:
• Idle time
• ACL configuration information
• Auto-command
• Privilege level
After gaining authorization for the first time, you may configure these attributes.
Idle Time
Every session line has its own idle-time. If the idle-time value is not changed, the default value of 30
minutes is used. RADIUS specifies idle-time allow for a user during a session before timeout. When a user
logs in, the lower of the two idle-time values (configured or default) is used. The idle-time value is updated
if both of the following happens:
• The administrator changes the idle-time of the line on which the user has logged in
• The idle-time is lower than the RADIUS-returned idle-time
ACL
The RADIUS server can specify an ACL. If an ACL is configured on the RADIUS server, and if that ACL
is present, user may be allowed access based on that ACL. If the ACL is absent, authorization fails, and a
message is logged indicating the this.
RADIUS can specify an ACL for the user if both of the following are true:
• If an ACL is absent
• There is a very long delay for an entry, or a denied entry because of an ACL, and a message is logged
Auto-command
You can configure the system through the RADIUS server to automatically execute a command when you
connect to a specific line. To do this, use the command
auto-command. The auto-command is executed
when the user is authenticated and before the prompt appears to the user.
Note: RADIUS authentication/authorization is done for every login. There is no difference between
first-time login and subsequent logins.
Note: The ACL name must be a string. Only standard ACLs in authorization (both RADIUS and TACACS)
are supported. Authorization is denied in cases using Extended ACLs.