From: Szabo, Vilmos (VS183600@exchange.UnitedKingdom.NCR.COM)
Date: Tue Nov 04 2003 - 09:23:03 GMT-3
Fabrice & Dmitry,
I can image a situation when the authentication and authorization are
carried out on two different AAA servers. Some config like this:
aaa new-model
!
aaa group server tacacs authen-server
server 192.168.1.1
aaa group server tacacs author-server
server 192.168.1.2
!
aaa authentication login default group authen-server none
aaa authorization exec default group author-server if-authenticated none
!
tacacs-server host 192.168.1.1 key cisco
tacacs-server host 192.168.1.2 key cisco
!
So if user can authenticate himself and first authorization method
(192.168.1.2) fails then the second method will be tried and because user is
already authenticated therefore get authorization.
However when the authentication does not work (for example 192.168.1.1 is
down) then the 'none' method will be the actual authentication method and
consequently the same for authorization method.
I wanted to test my theory, but I was not too lucky with my IOS 12.3 version
because somehow the debug aaa authentication/authorization does not give the
same abundant information that would be enough as it was with earlier
versions like IOS 12.2. I tried different platforms and version in IOS 12.3,
but the same result, I mean I receive two lines :-(
... and with IOS 12.2 the debug works well giving adequate information, but
the problem is the same as Fabrice spotted with 12.2(9)
So until I could not prove my thought, but if YOU can then it is most
welcomed.
Best regards,
Vilmos
-----Original Message-----
From: Fabrice Bobes [mailto:study@6colabs.com]
Sent: 04 November 2003 06:13
To: 'Volkov Dmitry'; 'Bob Sinclair'
Cc: security@groupstudy.com; ccielab@groupstudy.com
Subject: RE: aaa authorization (last method)
Hi Guys,
I just tested a scenario like yours and noticed different results based
on the IOS version I was testing on (12.2.19 and 12.2.15T7).
The result I got on the T release was much in line with what I was
expecting:
For Example:
Aaa new-model
aaa authentication login default group radius none
aaa authorization exec default group radius if-authenticated none
radius-server host 133.1.50.100 key cisco
1) 12.2.15T7 and 12.2.19. The Radius server is reachable and user2 is
not defined on the Radius server, an access-reject is received and
authentication fails. The method "none" is never tested.
User2 telnets:
User Access Verification
Username: user2
Password:
% Authentication failed.
2) 12.2.15T7. It's where it's getting interesting, the Radius server is
now not reachable but user2 gets through: he is not authenticated
(authentication method is none) but he gets authorized since "none" is a
valid method in the authorization list.
User Access Verification
Username: user2
Password:
R2>
With version 12.2.19, I get a different result, user2 is not authorized,
the method "none" is not tested. The process stops at "if-authenticated"
and doesn't consider "none" as a backup method.
I get:
User Access Verification
Username: user2
Password:
% Backup authentication
% Authorization failed.
When debugging aaa authorization, I can see that "none" is not even
tested.
11:57:27: tty66 AAA/AUTHOR/EXEC (4095996851): send AV service=shell
11:57:27: tty66 AAA/AUTHOR/EXEC (4095996851): send AV cmd*
11:57:27: tty66 AAA/AUTHOR/EXEC (4095996851): found list "default"
11:57:27: tty66 AAA/AUTHOR/EXEC (4095996851): Method=radius (radius)
11:57:47: AAA/AUTHOR (4095996851): Post authorization status = ERROR
11:57:47: tty66 AAA/AUTHOR/EXEC (4095996851): Method=IF_AUTHEN
11:57:47: AAA/AUTHOR (4095996851): Post authorization status = FAIL
11:57:47: AAA/AUTHOR/EXEC: Authorization FAILED
Dmitry, I am not sure this replies to your initial question but as you
can see, there is a difference between if-authenticated and none at
least in the T release. "None" authorizes a user not authenticated.
"If-authenticated" authorizes a user as long as he was authenticated.
Thanks,
Fabrice Bobes
CCIE #8609 (R&S, Security)
http://www.6CoLabs.com
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Volkov Dmitry
Sent: Monday, November 03, 2003 3:56 PM
To: 'Bob Sinclair'
Cc: security@groupstudy.com; ccielab@groupstudy.com
Subject: RE: aaa authorization (last method)
Bob, see inline
> -----Original Message-----
> From: Bob Sinclair [mailto:bsin@cox.net]
> Sent: Monday, November 03, 2003 6:32 PM
> To: dmitry.volkov@rogers.com; security@groupstudy.com
> Cc: ccielab@groupstudy.com
> Subject: Re: aaa authorization (last method)
>
>
> Dmitry,
>
> It seems to me that in order to pass the "if-authenticated"
> method, AAA
> server needs to be reachable.
Why ?? You ALREADY authenticated and "if-authenticated" will allow to
authorize .
> What if you successfully
> authenticate and
> then shut down the interface you would use to get to the AAA
> server? Would
> you be able to no-shut it without the "none" fallback?
Why not - since You already have been authenticated.
>
> What if the AAA server is unreachable and you authenticate
> with a "none" or
> "local" fallback. You would be "authenticated" but if the
> AAA server is
> unreachable, will you be able authorized without the "none"
> fallback? I
Sure, as soon as condition "to be authenticated" is valid/completed You
will
get exec, netw services or commands