Re: aaa authorization if-authenticated from marc abel on 2012-09-21 (Ccielab archives 09/2012)

From: marc abel <marcabel_at_gmail.com>
Date: Fri, 21 Sep 2012 07:08:51 -0500

One reason to use if-authenticated in real life is for a smaller shop that
doesn't have multiple authorization levels and uses radius instead of
TACACS. In this case if you didn't want a bunch of local accounts you could
use if-authenticated as your primary authorization method with a local fall
back, and then just have a couple of local accounts in case radius is down.

On Fri, Sep 21, 2012 at 1:44 AM, ccie99999 <ccie99999_at_gmail.com> wrote:

> ok Brian,
>
> thanks a lot..
>
> then I don't understand why I should use "if-authenticated" in real life.
>
> anyway it's fine with me.
>
> thanks for your help guys!
>
>
> On Fri, Sep 21, 2012 at 5:38 AM, Brian McGahan <bmcgahan_at_ine.com> wrote:
>
> > Yes, but the user's login and privilege info must be local then, which
> > kind of defeats the purpose of tacacs in the first place. Off the top of
> my
> > head the syntax would be something like:
> >
> > aaa authentication login VTY group tacacs local
> > aaa authorization exec VTY group tacacs local
> > !
> > line VTY 0 4
> > login authentication VTY
> > authorization exec VTY
> >
> > This basically says that if the user tries to login and tacacs is down,
> > get the password and privilege number locally.
> >
> > Brian McGahan, CCIE #8593 (R&S/SP/Security)
> > bmcgahan_at_INE.com
> >
> > Internetwork Expert, Inc.
> > http://www.INE.com
> >
> > On Sep 20, 2012, at 11:33 PM, "ccie99999" <ccie99999_at_gmail.com> wrote:
> >
> > > thanks Marc,
> > >
> > > it's clear now.
> > >
> > > expected question now: is there a way to authorize local users (if
> > > tacacs/radius fail) with their own privilege level?
> > >
> > > I suppose not right ?
> > >
> > >
> > > On Fri, Sep 21, 2012 at 4:16 AM, marc abel <marcabel_at_gmail.com> wrote:
> > >
> > >> the command "if-authenticated" isn't telling it to check the user to
> see
> > >> what level it is authorized, it is simply saying if they are
> > authenticated,
> > >> then they are authorized. It is giving the authorization level 1 by
> > >> default. You can change this by using
> > >>
> > >> aaa authorization commands 7 default if-authenticated
> > >>
> > >> but now all users that are authenticated are authorized as level 7, it
> > >> isn't going to check the local user. In your example it would check
> the
> > >> tacacs server first and assign what ever is assigned there, but once
> the
> > >> tacacs server can't be reached and the fall back "if-authenticated"
> > kicks
> > >> in, all users are getting the same authorization.
> > >>
> > >>
> > >> -Marc
> > >>
> > >> On Thu, Sep 20, 2012 at 10:56 PM, ccie99999 <ccie99999_at_gmail.com>
> > wrote:a
> > >>
> > >>> hi guys,
> > >>>
> > >>> I'm working on AAA and it's not the first time I get stuck here.
> > >>>
> > >>> if I have a local user with privilege level 7 like this one:
> > >>>
> > >>> username cisco privilege 7 pass cisco
> > >>>
> > >>> why if I do authorize him with if-authenticated I only got privilege
> > 1??
> > >>>
> > >>> aaa authentication login VTY group tacacs+ local
> > >>> aaa authorization exec VTY group tacacs+ if-authenticated
> > >>>
> > >>>
> > >>> line vty 0 4
> > >>> password line
> > >>> authorization exec VTY
> > >>> login authentication VTY
> > >>> transport input telnet
> > >>>
> > >>> telnet to R1:
> > >>>
> > >>> USER: admin
> > >>> PASSWORD:
> > >>> Rack1R1>
> > >>> Rack1R1>show priv
> > >>> Current privilege level is 1
> > >>>
> > >>> checking the aaa conf guide I find this:
> > >>>
> > >>> To allow users to have access to the functions they request as long
> as
> > >>> they
> > >>> have been authenticated, use the aaa authorization command with the
> > >>> if-authenticated method keyword. If this method is selected, all
> > requested
> > >>> functions are automatically granted to authenticated users.
> > >>>
> > >>> then I don't understand..
> > >>>
> > >>> btw if I change the conf to local instead of if-authenticated I got
> > >>> privilege 7 as expected.
> > >>>
> > >>> thanks
> > >>>
> > >>>
> > >>> --
> > >>> @ccie99999
> > >>>
> > >>>
> > >>> Blogs and organic groups at http://www.ccie.net
> > >>>
> > >>>
> _______________________________________________________________________
> > >>> Subscription information may be found at:
> > >>> http://www.groupstudy.com/list/CCIELab.html
> > >>>
> > >>>
> > >>>
> > >>>
> > >>>
> > >>>
> > >>>
> > >>>
> > >>
> > >>
> > >> --
> > >> Marc Abel
> > >> CCIE #35470
> > >> (Routing and Switching)
> > >>
> > >>
> > >
> > >
> > > --
> > > @ccie99999
> > >
> > >
> > > Blogs and organic groups at http://www.ccie.net
> > >
> > > _______________________________________________________________________
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> >
>
>
>
> --
> @ccie99999
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>

-- 
Marc Abel
CCIE #35470
(Routing and Switching)
Blogs and organic groups at http://www.ccie.net

Received on Fri Sep 21 2012 - 07:08:51 ART

This archive was generated by hypermail 2.2.0 : Mon Oct 01 2012 - 06:40:29 ART