Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

AAA commands

Can some one explain in detail on these commands.

aaa authentication enable default group ACS enable

aaa authorization exec default group ACS if-authenticated

5 REPLIES

Re: AAA commands

---> aaa authentication enable default group ACS enable

Authentication request will first go to acs and if there is no reply from acs, device will fallback and will ask for enable password.

----> aaa authorization exec default group ACS if-authenticated

Again device will check authorization status from acs and if there is no reply it will fallback "if-authenticated" and let the user in with the condition that user should be authenticated.

If you use 'if-authenticated' any authentication method (line, local, etc.) will allow for successful authorization. However, if the TACACS+ server goes down during a session, all author will fail until a new authen occurs (log out and log back in). This allows for an extra security measure so that a user with low privileges cannot suddenly run any command if the AAA server goes down. They must have access to the backup authen method.

Regards,

~JG

Do rate helpful posts

New Member

Re: AAA commands

In first command does the request goes to ACS on enable access then falls back to device enable passwd?

Hall of Fame Super Silver

Re: AAA commands

Aksher

Yes in the first command when the user enters the enable command the request first goes to ACS and if ACS returns an "error" response or does not respond at all then it will fall back to the device enable password (or enable secret).

HTH

Rick

New Member

Re: AAA commands

Thanks for the answer ! Does it differ on Firewalls? say i have

aaa authentication telnet console ACS LOCAL

to login and

aaa authentication enable console ACS LOCAL

to enter in to enable mode.Here i always enter in to level 1 priv and then to level 15 after giving en/password.Where as in prev. one i can directly enter in to priv 15 on router.FYI, i ve prov. 15 definned on ACS for both.

Re: AAA commands

Unfortunately that is not possible, as ASA does not support Exec Authorization.

Regards,

~JG

Do rate helpful posts

325
Views
4
Helpful
5
Replies
CreatePlease to create content