Re: aaa authorization (last method)
From: Bob Sinclair (bsin@cox.net)
Date: Mon Nov 03 2003 - 19:53:46 GMT-3
Dmitry,
Most of the docs do indicate that "if-authenticated" should normally be the
last method: either you are authenticated and therefore permitted, or you
are not authenticated and the method fails - failing a method does not allow
you to try other methods. Adding the "none" option appears to be a
fail-safe in the case of a down or unreachable server. See the link below:
http://www.cisco.com/en/US/partner/netsol/ns341/ns396/ns7/ns18/networking_solutions_design_guide_chapter09186a00800f48eb.html#1009459
-Bob Sinclair
CCIE #10427, CISSP, MCSE
----- Original Message -----
From: "Volkov Dmitry" <dmitry.volkov@rogers.com>
To: <security@groupstudy.com>
Cc: <ccielab@groupstudy.com>
Sent: Monday, November 03, 2003 10:36 AM
Subject: aaa authorization (last method)
> Does it make any sense to use both methods: "if-authenticated" and "none"
> within the same aaa authorization list.
> for ex : aaa authorization exec TEST group tacacs+ if-authenticated none
>
> from com ref:
> If-Authenticated�The user is allowed to access the requested function
> provided the user has been authenticated successfully.
> None�The network access server does not request authorization information;
> authorization is not performed over this line/interface.
>
> Is it possible: to be not authenticated (for any reasons) and still
request
> authorization ?
> AFAIK authorization happens after authentication (logically).
> What is the difference to use "if-authenticated" comparing with "none" in
> this context ?
>
> Thanks,
> Dmitry
This archive was generated by hypermail 2.1.4
: Fri Dec 12 2003 - 12:29:07 GMT-3