OK,
Thanks Marc.
@ccie99999
Il giorno 21/set/2012 14:08, "marc abel" <marcabel_at_gmail.com> ha scritto:
> One reason to use if-authenticated in real life is for a smaller shop that
> doesn't have multiple authorization levels and uses radius instead of
> TACACS. In this case if you didn't want a bunch of local accounts you could
> use if-authenticated as your primary authorization method with a local fall
> back, and then just have a couple of local accounts in case radius is down.
>
> On Fri, Sep 21, 2012 at 1:44 AM, ccie99999 <ccie99999_at_gmail.com> wrote:
>
>> ok Brian,
>>
>> thanks a lot..
>>
>> then I don't understand why I should use "if-authenticated" in real life.
>>
>> anyway it's fine with me.
>>
>> thanks for your help guys!
>>
>>
>> On Fri, Sep 21, 2012 at 5:38 AM, Brian McGahan <bmcgahan_at_ine.com> wrote:
>>
>> > Yes, but the user's login and privilege info must be local then, which
>> > kind of defeats the purpose of tacacs in the first place. Off the top
>> of my
>> > head the syntax would be something like:
>> >
>> > aaa authentication login VTY group tacacs local
>> > aaa authorization exec VTY group tacacs local
>> > !
>> > line VTY 0 4
>> > login authentication VTY
>> > authorization exec VTY
>> >
>> > This basically says that if the user tries to login and tacacs is down,
>> > get the password and privilege number locally.
>> >
>> > Brian McGahan, CCIE #8593 (R&S/SP/Security)
>> > bmcgahan_at_INE.com
>> >
>> > Internetwork Expert, Inc.
>> > http://www.INE.com
>> >
>> > On Sep 20, 2012, at 11:33 PM, "ccie99999" <ccie99999_at_gmail.com> wrote:
>> >
>> > > thanks Marc,
>> > >
>> > > it's clear now.
>> > >
>> > > expected question now: is there a way to authorize local users (if
>> > > tacacs/radius fail) with their own privilege level?
>> > >
>> > > I suppose not right ?
>> > >
>> > >
>> > > On Fri, Sep 21, 2012 at 4:16 AM, marc abel <marcabel_at_gmail.com>
>> wrote:
>> > >
>> > >> the command "if-authenticated" isn't telling it to check the user to
>> see
>> > >> what level it is authorized, it is simply saying if they are
>> > authenticated,
>> > >> then they are authorized. It is giving the authorization level 1 by
>> > >> default. You can change this by using
>> > >>
>> > >> aaa authorization commands 7 default if-authenticated
>> > >>
>> > >> but now all users that are authenticated are authorized as level 7,
>> it
>> > >> isn't going to check the local user. In your example it would check
>> the
>> > >> tacacs server first and assign what ever is assigned there, but once
>> the
>> > >> tacacs server can't be reached and the fall back "if-authenticated"
>> > kicks
>> > >> in, all users are getting the same authorization.
>> > >>
>> > >>
>> > >> -Marc
>> > >>
>> > >> On Thu, Sep 20, 2012 at 10:56 PM, ccie99999 <ccie99999_at_gmail.com>
>> > wrote:a
>> > >>
>> > >>> hi guys,
>> > >>>
>> > >>> I'm working on AAA and it's not the first time I get stuck here.
>> > >>>
>> > >>> if I have a local user with privilege level 7 like this one:
>> > >>>
>> > >>> username cisco privilege 7 pass cisco
>> > >>>
>> > >>> why if I do authorize him with if-authenticated I only got privilege
>> > 1??
>> > >>>
>> > >>> aaa authentication login VTY group tacacs+ local
>> > >>> aaa authorization exec VTY group tacacs+ if-authenticated
>> > >>>
>> > >>>
>> > >>> line vty 0 4
>> > >>> password line
>> > >>> authorization exec VTY
>> > >>> login authentication VTY
>> > >>> transport input telnet
>> > >>>
>> > >>> telnet to R1:
>> > >>>
>> > >>> USER: admin
>> > >>> PASSWORD:
>> > >>> Rack1R1>
>> > >>> Rack1R1>show priv
>> > >>> Current privilege level is 1
>> > >>>
>> > >>> checking the aaa conf guide I find this:
>> > >>>
>> > >>> To allow users to have access to the functions they request as long
>> as
>> > >>> they
>> > >>> have been authenticated, use the aaa authorization command with the
>> > >>> if-authenticated method keyword. If this method is selected, all
>> > requested
>> > >>> functions are automatically granted to authenticated users.
>> > >>>
>> > >>> then I don't understand..
>> > >>>
>> > >>> btw if I change the conf to local instead of if-authenticated I got
>> > >>> privilege 7 as expected.
>> > >>>
>> > >>> thanks
>> > >>>
>> > >>>
>> > >>> --
>> > >>> @ccie99999
>> > >>>
>> > >>>
>> > >>> Blogs and organic groups at http://www.ccie.net
>> > >>>
>> > >>>
>> _______________________________________________________________________
>> > >>> Subscription information may be found at:
>> > >>> http://www.groupstudy.com/list/CCIELab.html
>> > >>>
>> > >>>
>> > >>>
>> > >>>
>> > >>>
>> > >>>
>> > >>>
>> > >>>
>> > >>
>> > >>
>> > >> --
>> > >> Marc Abel
>> > >> CCIE #35470
>> > >> (Routing and Switching)
>> > >>
>> > >>
>> > >
>> > >
>> > > --
>> > > @ccie99999
>> > >
>> > >
>> > > Blogs and organic groups at http://www.ccie.net
>> > >
>> > >
>> _______________________________________________________________________
>> > > Subscription information may be found at:
>> > > http://www.groupstudy.com/list/CCIELab.html
>> > >
>> > >
>> > >
>> > >
>> > >
>> > >
>> > >
>> >
>>
>>
>>
>> --
>> @ccie99999
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>>
>>
>>
>>
>>
>>
>
>
> --
> Marc Abel
> CCIE #35470
> (Routing and Switching)
Blogs and organic groups at http://www.ccie.net
Received on Fri Sep 21 2012 - 19:24:31 ART
This archive was generated by hypermail 2.2.0 : Mon Oct 01 2012 - 06:40:29 ART