Re: aaa authorization if-authenticated from marc abel on 2012-09-21 (Ccielab archives 09/2012)

From: marc abel <marcabel_at_gmail.com>
Date: Thu, 20 Sep 2012 23:16:21 -0500

the command "if-authenticated" isn't telling it to check the user to see
what level it is authorized, it is simply saying if they are authenticated,
then they are authorized. It is giving the authorization level 1 by
default. You can change this by using

aaa authorization commands 7 default if-authenticated

but now all users that are authenticated are authorized as level 7, it
isn't going to check the local user. In your example it would check the
tacacs server first and assign what ever is assigned there, but once the
tacacs server can't be reached and the fall back "if-authenticated" kicks
in, all users are getting the same authorization.

-Marc

On Thu, Sep 20, 2012 at 10:56 PM, ccie99999 <ccie99999_at_gmail.com> wrote:a

> hi guys,
>
> I'm working on AAA and it's not the first time I get stuck here.
>
> if I have a local user with privilege level 7 like this one:
>
> username cisco privilege 7 pass cisco
>
> why if I do authorize him with if-authenticated I only got privilege 1??
>
> aaa authentication login VTY group tacacs+ local
> aaa authorization exec VTY group tacacs+ if-authenticated
>
>
> line vty 0 4
> password line
> authorization exec VTY
> login authentication VTY
> transport input telnet
>
> telnet to R1:
>
> USER: admin
> PASSWORD:
> Rack1R1>
> Rack1R1>show priv
> Current privilege level is 1
>
> checking the aaa conf guide I find this:
>
> To allow users to have access to the functions they request as long as they
> have been authenticated, use the aaa authorization command with the
> if-authenticated method keyword. If this method is selected, all requested
> functions are automatically granted to authenticated users.
>
> then I don't understand..
>
> btw if I change the conf to local instead of if-authenticated I got
> privilege 7 as expected.
>
> thanks
>
>
> --
> @ccie99999
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>

-- 
Marc Abel
CCIE #35470
(Routing and Switching)
Blogs and organic groups at http://www.ccie.net

Received on Thu Sep 20 2012 - 23:16:21 ART

This archive was generated by hypermail 2.2.0 : Mon Oct 01 2012 - 06:40:29 ART