Difference between if-authenticated and none keyword !

illusion_rox · ‎07-21-2009

Dear All, i have been practicing local AAA without remote server, i am confused as what is the practical difference between these 2 following commands

aaa authori exec default none

aaa authori exec default if-authenticated

The end result in both cases seems to be same, can some one highlight if i am wrong ?

Jon Marshall · ‎07-21-2009

Ovais

The end result may be the same but they are not doing the same thing.

"aaa authori exec default none" simply means you are not doing any authorisation. It bears no relation to whether the user has authenticated successfully or not.

"aaa authori exec default if-authenticated" means you are doing authorisation which is the direct opposite of the first statement. And this does rely on a successful authentication of the user.

Jon

illusion_rox · ‎07-21-2009

Dear Jon, thanks alot for the response. What you said in the second statement contains my confusion. Authorization will always happen AFTER successful authentication right ? so what is the sense of if-authenticated ? Sir i am just trying to clear my confusion so please dont take my any statement harsh or pushing, i just dont want to miss the chance of clarifying this confusion. Can you kindly answer my above confusion plus is there any scenario where you think both none and if-authenticated might produce different results ?.

Jagdeep Gambhir · ‎07-21-2009

Using 'none' versus 'if-authenticated' as backup method for authorization-

If you use 'if-authenticated' any authentication method (line, local, etc.) will allow for successful authorization. However, if the TACACS+ server goes down during a session, all author will fail until a new authen occurs (log out and log back in). This allows for an extra security measure so that a user with low privileges cannot suddenly run any command if the AAA server goes down. They must have access to the backup authen method. If you use 'none', author will always be successful if the AAA server is down. Even if it goes

down in the middle of the session. Adds convenience at the expense of security.

Regards,

~JG

Do rate helpful posts

illusion_rox · ‎07-21-2009

Dear JG, thanks alot for the feedback. I will try it today and let you know. One more thing, like you said, if-authenticated works interestingly with remote server, but do you think it will be different from "none" in case of local authorization ? kindly give your expert advice in the case of local authorization also

Thanks a lot for the feedback

illusion_rox · ‎07-21-2009

Dear JG, i have checked the configuration. Following is my complete aaa configuration

aaa new-model

aaa authentication login default group tacacs+ local

aaa authentication enable default group tacacs+ enable

aaa authorization exec default group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ if-authenticated

aaa accounting update periodic 1

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

Branch102#conf t

Enter configuration commands, one per line. End with CNTL/Z.

Branch(config)#

All above show and config ter command was run after deleting the entry of this branch from tacacs server, in other words bringing the server down for this branch. As you can see i am still able to run all priv 15 commands. Am i doing something wrong here ? kindly guide me in this

Jagdeep Gambhir · ‎07-22-2009

Hi Illusion,

My bad, this is what will actually happen,

When you define the if-authenticated fallback option, the following occurs:

â€¢ if-authenticated allows you to proceed with your action if the TACACS+ server does not respond and you have authentication.

â€¢ none allows you to proceed without further authorization if the TACACS+ server does not respond.

sorry for the confusion.

Regards,

~JG