From: Fabrice Bobes (study@6colabs.com)
Date: Tue Nov 04 2003 - 03:12:42 GMT-3
Hi Guys,
I just tested a scenario like yours and noticed different results based
on the IOS version I was testing on (12.2.19 and 12.2.15T7).
The result I got on the T release was much in line with what I was
expecting:
For Example:
Aaa new-model
aaa authentication login default group radius none
aaa authorization exec default group radius if-authenticated none
radius-server host 133.1.50.100 key cisco
1) 12.2.15T7 and 12.2.19. The Radius server is reachable and user2 is
not defined on the Radius server, an access-reject is received and
authentication fails. The method "none" is never tested.
User2 telnets:
User Access Verification
Username: user2
Password:
% Authentication failed.
2) 12.2.15T7. It's where it's getting interesting, the Radius server is
now not reachable but user2 gets through: he is not authenticated
(authentication method is none) but he gets authorized since "none" is a
valid method in the authorization list.
User Access Verification
Username: user2
Password:
R2>
With version 12.2.19, I get a different result, user2 is not authorized,
the method "none" is not tested. The process stops at "if-authenticated"
and doesn't consider "none" as a backup method.
I get:
User Access Verification
Username: user2
Password:
% Backup authentication
% Authorization failed.
When debugging aaa authorization, I can see that "none" is not even
tested.
11:57:27: tty66 AAA/AUTHOR/EXEC (4095996851): send AV service=shell
11:57:27: tty66 AAA/AUTHOR/EXEC (4095996851): send AV cmd*
11:57:27: tty66 AAA/AUTHOR/EXEC (4095996851): found list "default"
11:57:27: tty66 AAA/AUTHOR/EXEC (4095996851): Method=radius (radius)
11:57:47: AAA/AUTHOR (4095996851): Post authorization status = ERROR
11:57:47: tty66 AAA/AUTHOR/EXEC (4095996851): Method=IF_AUTHEN
11:57:47: AAA/AUTHOR (4095996851): Post authorization status = FAIL
11:57:47: AAA/AUTHOR/EXEC: Authorization FAILED
Dmitry, I am not sure this replies to your initial question but as you
can see, there is a difference between if-authenticated and none at
least in the T release. "None" authorizes a user not authenticated.
"If-authenticated" authorizes a user as long as he was authenticated.
Thanks,
Fabrice Bobes
CCIE #8609 (R&S, Security)
http://www.6CoLabs.com
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Volkov Dmitry
Sent: Monday, November 03, 2003 3:56 PM
To: 'Bob Sinclair'
Cc: security@groupstudy.com; ccielab@groupstudy.com
Subject: RE: aaa authorization (last method)
Bob, see inline
> -----Original Message-----
> From: Bob Sinclair [mailto:bsin@cox.net]
> Sent: Monday, November 03, 2003 6:32 PM
> To: dmitry.volkov@rogers.com; security@groupstudy.com
> Cc: ccielab@groupstudy.com
> Subject: Re: aaa authorization (last method)
>
>
> Dmitry,
>
> It seems to me that in order to pass the "if-authenticated"
> method, AAA
> server needs to be reachable.
Why ?? You ALREADY authenticated and "if-authenticated" will allow to
authorize .
> What if you successfully
> authenticate and
> then shut down the interface you would use to get to the AAA
> server? Would
> you be able to no-shut it without the "none" fallback?
Why not - since You already have been authenticated.
>
> What if the AAA server is unreachable and you authenticate
> with a "none" or
> "local" fallback. You would be "authenticated" but if the
> AAA server is
> unreachable, will you be able authorized without the "none"
> fallback? I
Sure, as soon as condition "to be authenticated" is valid/completed You
will
get exec, netw services or commands