thanks Marc,
it's clear now.
expected question now: is there a way to authorize local users (if
tacacs/radius fail) with their own privilege level?
I suppose not right ?
On Fri, Sep 21, 2012 at 4:16 AM, marc abel <marcabel_at_gmail.com> wrote:
> the command "if-authenticated" isn't telling it to check the user to see
> what level it is authorized, it is simply saying if they are authenticated,
> then they are authorized. It is giving the authorization level 1 by
> default. You can change this by using
>
> aaa authorization commands 7 default if-authenticated
>
> but now all users that are authenticated are authorized as level 7, it
> isn't going to check the local user. In your example it would check the
> tacacs server first and assign what ever is assigned there, but once the
> tacacs server can't be reached and the fall back "if-authenticated" kicks
> in, all users are getting the same authorization.
>
>
> -Marc
>
> On Thu, Sep 20, 2012 at 10:56 PM, ccie99999 <ccie99999_at_gmail.com> wrote:a
>
>> hi guys,
>>
>> I'm working on AAA and it's not the first time I get stuck here.
>>
>> if I have a local user with privilege level 7 like this one:
>>
>> username cisco privilege 7 pass cisco
>>
>> why if I do authorize him with if-authenticated I only got privilege 1??
>>
>> aaa authentication login VTY group tacacs+ local
>> aaa authorization exec VTY group tacacs+ if-authenticated
>>
>>
>> line vty 0 4
>> password line
>> authorization exec VTY
>> login authentication VTY
>> transport input telnet
>>
>> telnet to R1:
>>
>> USER: admin
>> PASSWORD:
>> Rack1R1>
>> Rack1R1>show priv
>> Current privilege level is 1
>>
>> checking the aaa conf guide I find this:
>>
>> To allow users to have access to the functions they request as long as
>> they
>> have been authenticated, use the aaa authorization command with the
>> if-authenticated method keyword. If this method is selected, all requested
>> functions are automatically granted to authenticated users.
>>
>> then I don't understand..
>>
>> btw if I change the conf to local instead of if-authenticated I got
>> privilege 7 as expected.
>>
>> thanks
>>
>>
>> --
>> @ccie99999
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>>
>>
>>
>>
>>
>>
>
>
> --
> Marc Abel
> CCIE #35470
> (Routing and Switching)
>
>
-- @ccie99999 Blogs and organic groups at http://www.ccie.netReceived on Fri Sep 21 2012 - 04:32:46 ART
This archive was generated by hypermail 2.2.0 : Mon Oct 01 2012 - 06:40:29 ART