RE: aaa authorization (last method)

From: Volkov Dmitry (dmitry.volkov@rogers.com)
Date: Mon Nov 03 2003 - 20:10:30 GMT-3

• Next message: Bob Sinclair: "Re: aaa authorization (last method)"
• Previous message: Bob Sinclair: "Re: aaa authorization (last method)"
• Maybe in reply to: Volkov Dmitry: "aaa authorization (last method)"
• Next in thread: Bob Sinclair: "Re: aaa authorization (last method)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Bob,

I read it before but didn't get clarity...
It appears to me both last resort methods "none" and "if-authenticated" are
the same when they used as last one in authorization process.

I don't get the difference.
Can You be not authenticated and still proceed authorization ?

Thanks,
Dmitry

> -----Original Message-----
> From: Bob Sinclair [mailto:bsin@cox.net]
> Sent: Monday, November 03, 2003 5:54 PM
> To: Volkov Dmitry; security@groupstudy.com
> Cc: ccielab@groupstudy.com
> Subject: Re: aaa authorization (last method)
>
>
> Dmitry,
>
> Most of the docs do indicate that "if-authenticated" should
> normally be the
> last method: either you are authenticated and therefore
> permitted, or you
> are not authenticated and the method fails - failing a method
> does not allow
> you to try other methods. Adding the "none" option appears to be a
> fail-safe in the case of a down or unreachable server. See
> the link below:
>
> http://www.cisco.com/en/US/partner/netsol/ns341/ns396/ns7/ns18
> /networking_solutions_design_guide_chapter09186a00800f48eb.htm
> l#1009459
>
>
> -Bob Sinclair
> CCIE #10427, CISSP, MCSE
>
> ----- Original Message -----
> From: "Volkov Dmitry" <dmitry.volkov@rogers.com>
> To: <security@groupstudy.com>
> Cc: <ccielab@groupstudy.com>
> Sent: Monday, November 03, 2003 10:36 AM
> Subject: aaa authorization (last method)
>
>
> > Does it make any sense to use both methods:
> "if-authenticated" and "none"
> > within the same aaa authorization list.
> > for ex : aaa authorization exec TEST group tacacs+
> if-authenticated none
> >
> > from com ref:
> > If-AuthenticatedThe user is allowed to access the
> requested function
> > provided the user has been authenticated successfully.
> > NoneThe network access server does not request
> authorization information;
> > authorization is not performed over this line/interface.
> >
> > Is it possible: to be not authenticated (for any reasons) and still
> request
> > authorization ?
> > AFAIK authorization happens after authentication (logically).
> > What is the difference to use "if-authenticated" comparing
> with "none" in
> > this context ?
> >
> > Thanks,
> > Dmitry

• Next message: Bob Sinclair: "Re: aaa authorization (last method)"
• Previous message: Bob Sinclair: "Re: aaa authorization (last method)"
• Maybe in reply to: Volkov Dmitry: "aaa authorization (last method)"
• Next in thread: Bob Sinclair: "Re: aaa authorization (last method)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Dec 12 2003 - 12:29:07 GMT-3