Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
17523
Views
22
Helpful
6
Replies

What is the difference between authorisation if-authenticated and none

ipotts
Level 1
Level 1

‎11-01-2002 05:50 AM - edited ‎02-21-2020 10:04 AM

Hello,

I am working on a AAA configuration, and can't determine the practical difference between authorisation none and authorisation if-authenticated.

I realise the obvious difference, that if TACACS is down, with none there is no authorisation if none is used; and if TACACS is down authorisation will allow all commands if if-authenticated is used.

However, since you must always be authenticated, before authorisation commences, in practical terms, there is no difference that I can see between if-authenticated and none? Can anyone please explain if there is a practical difference between them.

#####################Authorisation if-authenticated#############

aaa authorization exec default group tacacs+ if-authenticated

aaa authorization commands 1 default group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ if-authenticated

#####################Authorisation none##################

aaa authorization exec default group tacacs+ none

aaa authorization commands 1 default group tacacs+ none

aaa authorization commands 15 default group tacacs+ none

Many Thanks

Ian Potts

Labels:
6 Replies 6

bwalchez
Level 4
Level 4

‎11-07-2002 08:29 AM

If you want to configure a setup where a user is allowed access to the requested function, if they have been authenticated previously, use the if-authenticated method keyword. With this method in place, authenticated users are allowed access to all requested function.

There may be instances where you might not want to run authorization from a particular interface or line. To disable authorization for all actions associated with a particular type of authentication, use the none method keyword. The network access server does not request authorization information and authorization is not performed over this line/interface

You could also refer to the document on Configuring Authorization available at the URL:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/secur_c/scprt1/scathor.htm

0 Helpful

ipotts
Level 1
Level 1
In response to bwalchez

‎11-07-2002 08:46 AM

Thank you for your reply. I may not have explained by question clearly. I have read the CCO documentation multiple times, but it does not answer my question.

My question is basically that a user is always authenticated. Therefore using authorization methods of none or if-authenticated are identical.

0 Helpful

4brown
Level 1
Level 1
In response to ipotts

‎11-07-2002 09:29 AM

One use I can think of is where you have both AAA and local configured for exec or command authorization. Let's say TACACS+ in the following manner:

aaa new-model

aaa authentication login default tacacs+ local

aaa authorization exec default tacacs+ if-authenticated

username admin password

If you had this configuration without the "if-authenticated" statement and the connection to the TAC+ server goes down or you receive an ERROR in communicating with it such as a mismatched key, then it goes to local for authentication. If you did not want to use local authorization and want it to succeed exec authorization for this local account, then the "if-authenticated" statement would be needed.

Check out the debugs with:

aaa new-model

aaa authentication login default tacacs+ local

aaa authorization exec default tacacs+ local

AND the TAC+ server is down

6d21h: AAA/AUTHOR/EXEC (4150549846): Port='tty2' list='' service=EXEC

6d21h: AAA/AUTHOR/EXEC: (4150549846) user='admin'

6d21h: AAA/AUTHOR/EXEC: (4150549846) send AV service=shell

6d21h: AAA/AUTHOR/EXEC: (4150549846) send AV cmd*

6d21h: AAA/AUTHOR/EXEC (4150549846) found list "default"

6d21h: AAA/AUTHOR/EXEC: (4150549846) Method=TACACS+

6d21h: AAA/AUTHOR/TAC+: (4150549846): user=admin

6d21h: AAA/AUTHOR/TAC+: (4150549846): send AV service=shell

6d21h: AAA/AUTHOR/TAC+: (4150549846): send AV cmd*

core7200-4#

6d21h: AAA/AUTHOR (4150549846): Post authorization status = ERROR

6d21h: AAA/AUTHOR/EXEC: (4150549846) Method=NOT_SET

6d21h: AAA/AUTHOR/EXEC: (4150549846) no methods left to try

6d21h: AAA/AUTHOR (4150549846): Post authorization status = FAIL

6d21h: AAA/AUTHOR/EXEC: Authorization FAILED

NOTE, Post authorization fails because there is no method set for EXEC for the local user. Now, put in "if-authenticated" and test again:

aaa new-model

aaa authentication login default tacacs+ local

aaa authorization exec default tacacs+ if-authenticated

6d22h: AAA/AUTHOR/EXEC (2893174055): Port='tty2' list='' service=EXEC

6d22h: AAA/AUTHOR/EXEC: (2893174055) user='admin'

6d22h: AAA/AUTHOR/EXEC: (2893174055) send AV service=shell

6d22h: AAA/AUTHOR/EXEC: (2893174055) send AV cmd*

6d22h: AAA/AUTHOR/EXEC (2893174055) found list "default"

6d22h: AAA/AUTHOR/EXEC: (2893174055) Method=TACACS+

6d22h: AAA/AUTHOR/TAC+: (2893174055): user=admin

6d22h: AAA/AUTHOR/TAC+: (2893174055): send AV service=shell

6d22h: AAA/AUTHOR/TAC+: (2893174055): send AV cmd*

6d22h: AAA/AUTHOR (2893174055): Post authorization status = ERROR

6d22h: AAA/AUTHOR/EXEC: (2893174055) Method=IF_AUTHEN

6d22h: AAA/AUTHOR (2893174055): Post authorization status = PASS_ADD

6d22h: AAA/AUTHOR/EXEC: Authorization successful

Note, the Post authorization passes because of IF_AUTHEN.

See the behavior?

Hope this helps.

ipotts
Level 1
Level 1
In response to 4brown

‎11-08-2002 03:24 AM

Hi,

Thanks very much for your detailed work. I can see the difference in your traces but my real interest is in the different behaviour between if-authenticated and none, not if-authenticated and local. Since all users are authenticated, there appears to me, no difference between an authorization method of none, and one of if-authenticated.

Many Thanks

Ian

0 Helpful

networkguy13111
Level 1
Level 1
In response to ipotts

‎05-07-2013 05:21 PM

Hi Ian,

There is no much difference IMO as normally people will use "enable" as fallback authentication motheod, which means a user can always be authenticated when loss of Tacacs servers.

Actually I find on some IOS the devices doesn't support "none" keyword at all, while on some other IOS the "if-authenticated" doesn't work.

I think Cisco dev just screwed this by complicating the fallback methods.

Which can win the race: increasing bandwidth with new technologies VS QoS?

-- Best Regards

jpflory01
Level 1
Level 1
In response to ipotts

‎09-17-2021 09:58 AM

 

authorization methods of none or if-authenticated ---


If you go "authorization none" you are basically stating that any person that authenticates  has all privileges to do everything.

if you go if-authenticated, then you are allowed to have the privileges granted by authorization without checking the remote tacacs server for each command that you enter to see if its authorized.

 

if you go authoritzation methods group tacacs: then each command will be require an answer from the tacacs server as to whether or not the command is authorized to the user. This can actually create quite a noticeable lag on WAN links. Think about each command before executed has to be communicated with tacacs server and then responded to before the command will 'take" and then execute.  

Therefore the if-authenticated go ahead an authorize at his login level is preferred, and

if you are not running a varied privledge level environment then authrorization method none becomes a very good option.

 

 

 

 

Customers Also Viewed These Support Documents