Re: aaa authorization (last method)
From: Bob Sinclair (bsin@cox.net)
Date: Mon Nov 03 2003 - 20:32:14 GMT-3
Dmitry,
It seems to me that in order to pass the "if-authenticated" method, AAA
server needs to be reachable. What if you successfully authenticate and
then shut down the interface you would use to get to the AAA server? Would
you be able to no-shut it without the "none" fallback?
What if the AAA server is unreachable and you authenticate with a "none" or
"local" fallback. You would be "authenticated" but if the AAA server is
unreachable, will you be able authorized without the "none" fallback? I
don't think so, but we can lab it up.
HTH,
-Bob Sinclair
CCIE #10427, CISSP, MCSE
----- Original Message -----
From: "Volkov Dmitry" <dmitry.volkov@rogers.com>
To: "'Bob Sinclair'" <bsin@cox.net>; <security@groupstudy.com>
Cc: <ccielab@groupstudy.com>
Sent: Monday, November 03, 2003 6:10 PM
Subject: RE: aaa authorization (last method)
> Bob,
>
> I read it before but didn't get clarity...
> It appears to me both last resort methods "none" and "if-authenticated"
are
> the same when they used as last one in authorization process.
>
> I don't get the difference.
> Can You be not authenticated and still proceed authorization ?
>
>
> Thanks,
> Dmitry
>
> > -----Original Message-----
> > From: Bob Sinclair [mailto:bsin@cox.net]
> > Sent: Monday, November 03, 2003 5:54 PM
> > To: Volkov Dmitry; security@groupstudy.com
> > Cc: ccielab@groupstudy.com
> > Subject: Re: aaa authorization (last method)
> >
> >
> > Dmitry,
> >
> > Most of the docs do indicate that "if-authenticated" should
> > normally be the
> > last method: either you are authenticated and therefore
> > permitted, or you
> > are not authenticated and the method fails - failing a method
> > does not allow
> > you to try other methods. Adding the "none" option appears to be a
> > fail-safe in the case of a down or unreachable server. See
> > the link below:
> >
> > http://www.cisco.com/en/US/partner/netsol/ns341/ns396/ns7/ns18
> > /networking_solutions_design_guide_chapter09186a00800f48eb.htm
> > l#1009459
> >
> >
> > -Bob Sinclair
> > CCIE #10427, CISSP, MCSE
> >
> > ----- Original Message -----
> > From: "Volkov Dmitry" <dmitry.volkov@rogers.com>
> > To: <security@groupstudy.com>
> > Cc: <ccielab@groupstudy.com>
> > Sent: Monday, November 03, 2003 10:36 AM
> > Subject: aaa authorization (last method)
> >
> >
> > > Does it make any sense to use both methods:
> > "if-authenticated" and "none"
> > > within the same aaa authorization list.
> > > for ex : aaa authorization exec TEST group tacacs+
> > if-authenticated none
> > >
> > > from com ref:
> > > If-Authenticated�The user is allowed to access the
> > requested function
> > > provided the user has been authenticated successfully.
> > > None�The network access server does not request
> > authorization information;
> > > authorization is not performed over this line/interface.
> > >
> > > Is it possible: to be not authenticated (for any reasons) and still
> > request
> > > authorization ?
> > > AFAIK authorization happens after authentication (logically).
> > > What is the difference to use "if-authenticated" comparing
> > with "none" in
> > > this context ?
> > >
> > > Thanks,
> > > Dmitry
This archive was generated by hypermail 2.1.4
: Fri Dec 12 2003 - 12:29:07 GMT-3