I thnk I am being a bit dim here!!
I am configuring aaa authentication and I am a bit unsure as to what the line:
aaa authorization exec
The documentation states:
"To create a method list to enable authorization to determine if a user is allowed to run an EXEC shell, use the exec keyword"
First of all I´m a bit confused as to what "run an EXEC shell" means. Is this refering to "user EXEC mode" or privileged EXEC mode or both.
Authentication runs before Authorization and I am usng the "aaa authentication enable" command to control access to the "privilege EXEC mode" hence my confusion as to what the previous command actually achieves.
any clarification will be much appreciated.
Lets start with a clarification of terminilogy. authentication deals with who are you (and really with can you proove that you are who you claim to be, usually via a password). authorization deals with once we believe who you are what should you be able to do. The exec shell is usually associated with the console and the vty ports and enables the parser and the command interpreter to allow the user to issue commands and receive output.
You authenticate to user mode. And typically you authentiate again to privilege mode. You must proove who you are to gain each of these modes.
authorization exec deals with running the exec process. The exec process allows a user to interact with the box (router or switch) and encompasses both user mode and privilege mode.
An example might help: at a customer site I support several routers used for dial access. We authenticate dial access users who are able to start ppp sessions but we do not authorize them to start exec sessions.
Thanks for the reply.
Yep, I am with you regarding the points you have mentioned. Perhaps I can explain my config a bit more just for me to clear up the EXEC authorization part as I still dont quite get what the "aaa authorization exec" part of the config is achieving.
I have the following lines configured re authorization:
aaa authentication login default group
aaa authentication enable default group
This I believe will force authentication of users initially before they can log into my routers and then require them to authenticate again before they are allowed into enable (privileged EXEC) mode. Once the user has been authenticated and is in enable (Privilege EXEC) mode is this not the same as the user starting an EXEC session?
I then have the authorization part as follows:
aaa authorization exec default group
aaa authorization commands 15 default group
I can see that the second line is used to authorize level 15 commands against my ACS server and will therefore require me to specify which commands the user can execute but I´m not too sure what exactly the first line controls or which settings are relevant on the ACS server to "exec authorization".
Sorry, still being a bit dim :-(
I sympathesize. It took me quite a while to get some of these things sorted out - and there are parts that I am still working to get clear.
Let me try to answer slightly differently. Just because some has a user ID and a password that are configured on the ACS server does not mean that they will be able to access your router. Let me start with the command:
aaa authentication login default group
This says that when someone attempts to begin a session on the router (to login) the router should send an authentication request to the ACS which will ask for the user ID and password and will respond with "pass" or "fail" for the user attempt. This applies both to someone on the console or vty ports (who will start an exec session) or to someone who dials in (who will start a ppp session). Just because they authenticate does not necessarily mean that the session starts. If the router is configured with:
aaa authorization exec default group
Then the router will check with the ACS server to verify if the user is authorized to start an exec session. If the user is configured in ACS to do only dial up but they are attempting to telnet to the router, they will be denied. They may have a valid ID and a valid password and they did not get an authentication error but they got an authorization error and their session is denied. They will not be able to telnet to the router.
As I think about your question I believe that part of your difficulty is that you are thinking of aaa controlling access to the router only through console or vty ports (telnet) and are not considering the possibility of other access that aaa might control. If you consider the possibility of other access (such as dial up) I hope it will become easier to understand the relationship between authentication and authorization.
Hi again Rick and thanks again.
I think I´m starting to get a clearer picture.
Soo, if I had no authorization configured the router would allow users to connect and then enter enable mode based on the authentication commands that I have configured. As I have EXEC authorization configured, the router also checks with the ACS server to see if options such as "Shell (Exec)" and "enable options" allow this type of activity.
I will be able to try some of this out again on Monday and hopefully, thanks to your help will understand what is going on a bit better.
I think that you are getting a better understanding. If you do not have any authorization configured for exec, the router will assume that you are authorized to start an exec session. If you have configured authorization exec the router will check. If you do not have authorization commands 1 the router will assume that you can execute any user mode commands. If you configure authorization commands 1 the router will check to see what you are authorized to do in user mode. If you do not have authorization commands 15 the router will assums you can execute any privilege 15 command. If you configure authorization commands 15 the router will check.
another thing to mention:
if you are using "aaa authentication enable" then the IOS device makes an authentication request to the radius with a username of $enab15$. Thats actualy quit stupid because it doesn't allow you to define which user can reach priv-exec mode. Everyone which knows the password for the user $enab15$ can access priv-exec mode!
if you are using the command "aaa authorization exec", then the IOS device reads the attribute-value pairs (AV-Pairs) it gets from the Radius (ACS) Server and decides upon them which rights the user has, the device gets this AV-Pairs while authenticating the user. If the AV-Pair in Option 009/001 in ACS looks like that "shell:priv-lvl=15
", then the user gets automaticali logged in to priv-exec mode.
OK, now to make everything even more complicated, the behavior is different if you are using TACACS instead of Radius :-) With TACACS if you isue the command "aaa authentication enable" then the IOS device makes a authentication request with the same user name you used for logging in to the device and the ACS checks if you have enough privilegs (this is the max privilege level in acs) to reach priv-exec mode
OK, to make it simple again, if you use RADIUS, use
aaa authenticaton login plus aaa authorization exec
aaa authentication login plus aaa authentication exec
(Tacas has also a method to login a user directyl to the priv-exec level, but it is not supportet in every IOS/CatOS version, so the methods mention by me are the smallest common value supportet on almost every plattform)
Hope that helps (I don't think that it makes things clearer for you :-)