AAA commands

Unanswered Question
Jagdeep Gambhir Fri, 03/14/2008 - 05:34

---> aaa authentication enable default group ACS enable

Authentication request will first go to acs and if there is no reply from acs, device will fallback and will ask for enable password.

----> aaa authorization exec default group ACS if-authenticated

Again device will check authorization status from acs and if there is no reply it will fallback "if-authenticated" and let the user in with the condition that user should be authenticated.

If you use 'if-authenticated' any authentication method (line, local, etc.) will allow for successful authorization. However, if the TACACS+ server goes down during a session, all author will fail until a new authen occurs (log out and log back in). This allows for an extra security measure so that a user with low privileges cannot suddenly run any command if the AAA server goes down. They must have access to the backup authen method.



Do rate helpful posts

Richard Burts Sat, 03/15/2008 - 07:27


Yes in the first command when the user enters the enable command the request first goes to ACS and if ACS returns an "error" response or does not respond at all then it will fall back to the device enable password (or enable secret).



Thanks for the answer ! Does it differ on Firewalls? say i have

aaa authentication telnet console ACS LOCAL

to login and

aaa authentication enable console ACS LOCAL

to enter in to enable mode.Here i always enter in to level 1 priv and then to level 15 after giving en/password.Where as in prev. one i can directly enter in to priv 15 on router.FYI, i ve prov. 15 definned on ACS for both.

Jagdeep Gambhir Tue, 03/18/2008 - 14:23

Unfortunately that is not possible, as ASA does not support Exec Authorization.



Do rate helpful posts


This Discussion