Re: aaa authorization if-authenticated

ok Brian,

thanks a lot..

then I don't understand why I should use "if-authenticated" in real life.

anyway it's fine with me.

thanks for your help guys!

On Fri, Sep 21, 2012 at 5:38 AM, Brian McGahan <bmcgahan_at_ine.com> wrote:

> Yes, but the user's login and privilege info must be local then, which
> kind of defeats the purpose of tacacs in the first place. Off the top of my
> head the syntax would be something like:
>
> aaa authentication login VTY group tacacs local
> aaa authorization exec VTY group tacacs local
> !
> line VTY 0 4
> login authentication VTY
> authorization exec VTY
>
> This basically says that if the user tries to login and tacacs is down,
> get the password and privilege number locally.
>
> Brian McGahan, CCIE #8593 (R&S/SP/Security)
> bmcgahan_at_INE.com
>
> Internetwork Expert, Inc.
> http://www.INE.com
>
> On Sep 20, 2012, at 11:33 PM, "ccie99999" <ccie99999_at_gmail.com> wrote:
>
> > thanks Marc,
> >
> > it's clear now.
> >
> > expected question now: is there a way to authorize local users (if
> > tacacs/radius fail) with their own privilege level?
> >
> > I suppose not right ?
> >
> >
> > On Fri, Sep 21, 2012 at 4:16 AM, marc abel <marcabel_at_gmail.com> wrote:
> >
> >> the command "if-authenticated" isn't telling it to check the user to see
> >> what level it is authorized, it is simply saying if they are
> authenticated,
> >> then they are authorized. It is giving the authorization level 1 by
> >> default. You can change this by using
> >>
> >> aaa authorization commands 7 default if-authenticated
> >>
> >> but now all users that are authenticated are authorized as level 7, it
> >> isn't going to check the local user. In your example it would check the
> >> tacacs server first and assign what ever is assigned there, but once the
> >> tacacs server can't be reached and the fall back "if-authenticated"
> kicks
> >> in, all users are getting the same authorization.
> >>
> >>
> >> -Marc
> >>
> >> On Thu, Sep 20, 2012 at 10:56 PM, ccie99999 <ccie99999_at_gmail.com>
> wrote:a
> >>
> >>> hi guys,
> >>>
> >>> I'm working on AAA and it's not the first time I get stuck here.
> >>>
> >>> if I have a local user with privilege level 7 like this one:
> >>>
> >>> username cisco privilege 7 pass cisco
> >>>
> >>> why if I do authorize him with if-authenticated I only got privilege
> 1??
> >>>
> >>> aaa authentication login VTY group tacacs+ local
> >>> aaa authorization exec VTY group tacacs+ if-authenticated
> >>>
> >>>
> >>> line vty 0 4
> >>> password line
> >>> authorization exec VTY
> >>> login authentication VTY
> >>> transport input telnet
> >>>
> >>> telnet to R1:
> >>>
> >>> USER: admin
> >>> PASSWORD:
> >>> Rack1R1>
> >>> Rack1R1>show priv
> >>> Current privilege level is 1
> >>>
> >>> checking the aaa conf guide I find this:
> >>>
> >>> To allow users to have access to the functions they request as long as
> >>> they
> >>> have been authenticated, use the aaa authorization command with the
> >>> if-authenticated method keyword. If this method is selected, all
> requested
> >>> functions are automatically granted to authenticated users.
> >>>
> >>> then I don't understand..
> >>>
> >>> btw if I change the conf to local instead of if-authenticated I got
> >>> privilege 7 as expected.
> >>>
> >>> thanks
> >>>
> >>>
> >>> --
> >>> @ccie99999
> >>>
> >>>
> >>> Blogs and organic groups at http://www.ccie.net
> >>>
> >>> _______________________________________________________________________
> >>> Subscription information may be found at:
> >>> http://www.groupstudy.com/list/CCIELab.html
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>
> >>
> >> --
> >> Marc Abel
> >> CCIE #35470
> >> (Routing and Switching)
> >>
> >>
> >
> >
> > --
> > @ccie99999
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> >
> >
> >
> >
> >
>

-- 
@ccie99999
Blogs and organic groups at http://www.ccie.net