Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
584
Views
4
Helpful
5
Replies

AAA commands

aksher
Level 1
Level 1

‎03-13-2008 05:05 PM - edited ‎03-10-2019 03:43 PM

Can some one explain in detail on these commands.

aaa authentication enable default group ACS enable

aaa authorization exec default group ACS if-authenticated

Labels:
0 Helpful
5 Replies 5

Jagdeep Gambhir
Level 10
Level 10

‎03-14-2008 05:34 AM

---> aaa authentication enable default group ACS enable

Authentication request will first go to acs and if there is no reply from acs, device will fallback and will ask for enable password.

----> aaa authorization exec default group ACS if-authenticated

Again device will check authorization status from acs and if there is no reply it will fallback "if-authenticated" and let the user in with the condition that user should be authenticated.

If you use 'if-authenticated' any authentication method (line, local, etc.) will allow for successful authorization. However, if the TACACS+ server goes down during a session, all author will fail until a new authen occurs (log out and log back in). This allows for an extra security measure so that a user with low privileges cannot suddenly run any command if the AAA server goes down. They must have access to the backup authen method.

Regards,

~JG

Do rate helpful posts

0 Helpful

aksher
Level 1
Level 1
In response to Jagdeep Gambhir

‎03-14-2008 06:36 PM

In first command does the request goes to ACS on enable access then falls back to device enable passwd?

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to aksher

‎03-15-2008 07:27 AM

Aksher

Yes in the first command when the user enters the enable command the request first goes to ACS and if ACS returns an "error" response or does not respond at all then it will fall back to the device enable password (or enable secret).

HTH

Rick

HTH

Rick
0 Helpful

aksher
Level 1
Level 1
In response to aksher

‎03-18-2008 10:53 AM

Thanks for the answer ! Does it differ on Firewalls? say i have

aaa authentication telnet console ACS LOCAL

to login and

aaa authentication enable console ACS LOCAL

to enter in to enable mode.Here i always enter in to level 1 priv and then to level 15 after giving en/password.Where as in prev. one i can directly enter in to priv 15 on router.FYI, i ve prov. 15 definned on ACS for both.

0 Helpful

Jagdeep Gambhir
Level 10
Level 10
In response to aksher

‎03-18-2008 02:23 PM

Unfortunately that is not possible, as ASA does not support Exec Authorization.

Regards,

~JG

Do rate helpful posts

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents