AAA authorization exec explanation please....thank you

gene.uhl · ‎06-04-2009

If I have this:

aaa authentication login default grouptacacs+ local line none

aaa authentication enable default group tacacs+ enable

aaa authorization exec default group tacacs+ local none

username localadmin password 7 xxxxxxxxxxxx

enable secret 5 xxxxxxxxxxxxxxxx

And all tacacs+ servers are unreachable.

Authentication will revert to local, so I would need to use a locally defined username of localadmin to access the unit. Correct?

If I can login using the local username, doesn't the authorizaiton exec fail and I cannot get an exec shell as I have no locally defined authorization set up?

If so, how do I set it up so I can login locally (which I think I have setup), but can also get into enable mode if the tacacs+ server(s) are down?

Is exec shell the privlidged mode or just the shell you get when you login and you need to execute a enable command to get to exec shell?

Thanks

Gene

Richard Burts · ‎06-04-2009

Gene

I believe that exec shell is the exec that you get when you login and not the privilege level. I usually configure authentication as you have done and it works well - whether the TACACS server is available or not. I generally configure authorization this way:

aaa authorization exec default group tacacs+ if-authenticated

and find that it works well - whether the TACACS server is available or not.

HTH

Rick

HTH

Rick

Jagdeep Gambhir · ‎06-04-2009

Gene,

Yes, if tacacs is down you need to login using locally configured user.

If you want to get into enable mode straight away then local user should have privilege 15. IF user priv is less then 15 then it will ask for enable password.

Shell exec is a privilege mode.

Regards,

~JG

Do rate helpful posts