cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3889
Views
10
Helpful
7
Replies

Exec Authorization

srowles
Level 1
Level 1

Hi

I thnk I am being a bit dim here!!

I am configuring aaa authentication and I am a bit unsure as to what the line:

aaa authorization exec

will achieve.

The documentation states:

"To create a method list to enable authorization to determine if a user is allowed to run an EXEC shell, use the exec keyword"

First of all I´m a bit confused as to what "run an EXEC shell" means. Is this refering to "user EXEC mode" or privileged EXEC mode or both.

Authentication runs before Authorization and I am usng the "aaa authentication enable" command to control access to the "privilege EXEC mode" hence my confusion as to what the previous command actually achieves.

any clarification will be much appreciated.

7 Replies 7

Richard Burts
Hall of Fame
Hall of Fame

Stephen

Lets start with a clarification of terminilogy. authentication deals with who are you (and really with can you proove that you are who you claim to be, usually via a password). authorization deals with once we believe who you are what should you be able to do. The exec shell is usually associated with the console and the vty ports and enables the parser and the command interpreter to allow the user to issue commands and receive output.

You authenticate to user mode. And typically you authentiate again to privilege mode. You must proove who you are to gain each of these modes.

authorization exec deals with running the exec process. The exec process allows a user to interact with the box (router or switch) and encompasses both user mode and privilege mode.

An example might help: at a customer site I support several routers used for dial access. We authenticate dial access users who are able to start ppp sessions but we do not authorize them to start exec sessions.

HTH

Rick

HTH

Rick

Hi Rick

Thanks for the reply.

Yep, I am with you regarding the points you have mentioned. Perhaps I can explain my config a bit more just for me to clear up the EXEC authorization part as I still dont quite get what the "aaa authorization exec" part of the config is achieving.

I have the following lines configured re authorization:

aaa authentication login default group local

aaa authentication enable default group enable

This I believe will force authentication of users initially before they can log into my routers and then require them to authenticate again before they are allowed into enable (privileged EXEC) mode. Once the user has been authenticated and is in enable (Privilege EXEC) mode is this not the same as the user starting an EXEC session?

I then have the authorization part as follows:

aaa authorization exec default group local

aaa authorization commands 15 default group local

I can see that the second line is used to authorize level 15 commands against my ACS server and will therefore require me to specify which commands the user can execute but I´m not too sure what exactly the first line controls or which settings are relevant on the ACS server to "exec authorization".

Sorry, still being a bit dim :-(

Stephen

I sympathesize. It took me quite a while to get some of these things sorted out - and there are parts that I am still working to get clear.

Let me try to answer slightly differently. Just because some has a user ID and a password that are configured on the ACS server does not mean that they will be able to access your router. Let me start with the command:

aaa authentication login default group local

This says that when someone attempts to begin a session on the router (to login) the router should send an authentication request to the ACS which will ask for the user ID and password and will respond with "pass" or "fail" for the user attempt. This applies both to someone on the console or vty ports (who will start an exec session) or to someone who dials in (who will start a ppp session). Just because they authenticate does not necessarily mean that the session starts. If the router is configured with:

aaa authorization exec default group local

Then the router will check with the ACS server to verify if the user is authorized to start an exec session. If the user is configured in ACS to do only dial up but they are attempting to telnet to the router, they will be denied. They may have a valid ID and a valid password and they did not get an authentication error but they got an authorization error and their session is denied. They will not be able to telnet to the router.

As I think about your question I believe that part of your difficulty is that you are thinking of aaa controlling access to the router only through console or vty ports (telnet) and are not considering the possibility of other access that aaa might control. If you consider the possibility of other access (such as dial up) I hope it will become easier to understand the relationship between authentication and authorization.

HTH

Rick

HTH

Rick

Hi again Rick and thanks again.

I think I´m starting to get a clearer picture.

Soo, if I had no authorization configured the router would allow users to connect and then enter enable mode based on the authentication commands that I have configured. As I have EXEC authorization configured, the router also checks with the ACS server to see if options such as "Shell (Exec)" and "enable options" allow this type of activity.

I will be able to try some of this out again on Monday and hopefully, thanks to your help will understand what is going on a bit better.

Many thanks.

Steve

Stephen

I think that you are getting a better understanding. If you do not have any authorization configured for exec, the router will assume that you are authorized to start an exec session. If you have configured authorization exec the router will check. If you do not have authorization commands 1 the router will assume that you can execute any user mode commands. If you configure authorization commands 1 the router will check to see what you are authorized to do in user mode. If you do not have authorization commands 15 the router will assums you can execute any privilege 15 command. If you configure authorization commands 15 the router will check.

HTH

Rick

HTH

Rick

Hi Stephen

another thing to mention:

if you are using "aaa authentication enable" then the IOS device makes an authentication request to the radius with a username of $enab15$. Thats actualy quit stupid because it doesn't allow you to define which user can reach priv-exec mode. Everyone which knows the password for the user $enab15$ can access priv-exec mode!

if you are using the command "aaa authorization exec", then the IOS device reads the attribute-value pairs (AV-Pairs) it gets from the Radius (ACS) Server and decides upon them which rights the user has, the device gets this AV-Pairs while authenticating the user. If the AV-Pair in Option 009/001 in ACS looks like that "shell:priv-lvl=15

", then the user gets automaticali logged in to priv-exec mode.

OK, now to make everything even more complicated, the behavior is different if you are using TACACS instead of Radius :-) With TACACS if you isue the command "aaa authentication enable" then the IOS device makes a authentication request with the same user name you used for logging in to the device and the ACS checks if you have enough privilegs (this is the max privilege level in acs) to reach priv-exec mode

OK, to make it simple again, if you use RADIUS, use

aaa authenticaton login plus aaa authorization exec

with TACACS

aaa authentication login plus aaa authentication exec

(Tacas has also a method to login a user directyl to the priv-exec level, but it is not supportet in every IOS/CatOS version, so the methods mention by me are the smallest common value supportet on almost every plattform)

Hope that helps (I don't think that it makes things clearer for you :-)

Simon

Hi Simon /Rick

Thank you both for the further information. I will re-test some of this on Monday.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: