07-21-2009 02:50 AM - edited 03-10-2019 04:36 PM
Dear All, i have been practicing local AAA without remote server, i am confused as what is the practical difference between these 2 following commands
aaa authori exec default none
aaa authori exec default if-authenticated
The end result in both cases seems to be same, can some one highlight if i am wrong ?
07-21-2009 05:53 AM
Ovais
The end result may be the same but they are not doing the same thing.
"aaa authori exec default none" simply means you are not doing any authorisation. It bears no relation to whether the user has authenticated successfully or not.
"aaa authori exec default if-authenticated" means you are doing authorisation which is the direct opposite of the first statement. And this does rely on a successful authentication of the user.
Jon
07-21-2009 09:47 AM
Dear Jon, thanks alot for the response. What you said in the second statement contains my confusion. Authorization will always happen AFTER successful authentication right ? so what is the sense of if-authenticated ? Sir i am just trying to clear my confusion so please dont take my any statement harsh or pushing, i just dont want to miss the chance of clarifying this confusion. Can you kindly answer my above confusion plus is there any scenario where you think both none and if-authenticated might produce different results ?.
07-21-2009 10:31 AM
Using 'none' versus 'if-authenticated' as backup method for authorization-
If you use 'if-authenticated' any authentication method (line, local, etc.) will allow for successful authorization. However, if the TACACS+ server goes down during a session, all author will fail until a new authen occurs (log out and log back in). This allows for an extra security measure so that a user with low privileges cannot suddenly run any command if the AAA server goes down. They must have access to the backup authen method. If you use 'none', author will always be successful if the AAA server is down. Even if it goes
down in the middle of the session. Adds convenience at the expense of security.
Regards,
~JG
Do rate helpful posts
07-21-2009 07:03 PM
Dear JG, thanks alot for the feedback. I will try it today and let you know. One more thing, like you said, if-authenticated works interestingly with remote server, but do you think it will be different from "none" in case of local authorization ? kindly give your expert advice in the case of local authorization also
Thanks a lot for the feedback
07-21-2009 07:39 PM
Dear JG, i have checked the configuration. Following is my complete aaa configuration
aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa accounting update periodic 1
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
Branch102#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Branch(config)#
All above show and config ter command was run after deleting the entry of this branch from tacacs server, in other words bringing the server down for this branch. As you can see i am still able to run all priv 15 commands. Am i doing something wrong here ? kindly guide me in this
07-22-2009 06:23 AM
Hi Illusion,
My bad, this is what will actually happen,
When you define the if-authenticated fallback option, the following occurs:
⢠if-authenticated allows you to proceed with your action if the TACACS+ server does not respond and you have authentication.
⢠none allows you to proceed without further authorization if the TACACS+ server does not respond.
sorry for the confusion.
Regards,
~JG
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: