Authorization if-authenticated

Hi,

Lets assume that we have configured:

aaa authorization exec default group tacacs+ local if-authenticated

If the TACACS+ server goes down and the user is already logged in will he then be able to run all commands even though he maybe was restricted by TACACS+ to configure only interfaces or such?

Could this then be used for privilege jumping by launching DoS against the TACACS+ server? Would require an account to start with but just thinking of the risks involved with if-authenticated.

Comments

  • Hey Daniel!

    Studying the context of this text here...

    http://fengnet.com/book/Cisco.IOS.Cookbook.2nd/I_0596527225_CHP_4_SECT_4.html

    ...I assume that once you are authenticated you are able to perform exec commands until you log out.

    BUT I have a Joker :D...got a testmachine @ work where this is configured and I can forbid the machine to get access to the tacacs...

    I am back in a few minutes :D.

  • Ok got it!

    I logged into the machine and can do anything with priv 15.

     

    Here is the config:

    aaa new-model
    aaa authentication login METHOD group tacacs+ local
    aaa authorization console
    aaa authorization config-commands
    aaa authorization exec default group tacacs+ local if-authenticated
    aaa authorization commands 15 default group tacacs+ if-authenticated
    aaa accounting commands 15 default
    aaa session-id common

     

    On the neighboring router where all the traffic is routed for that machine I configured an ACL inbound that tacacs+ is not allowed.

    My running session was not affected because I once was authenticated. The only thing I recognized that the commands you enter take some time before they are accepted but I think that is because the router tries to reach the tacacs server, then realizes that it fails and then let the command go through.

    When I want to open a new ssh session and try to authenticate I cannot log into the machine!

     

    then to make things complete I deconfigured the "if-authenticated" statements with the open session and voila! -> I cannot enter any commands I could before!

    Is that ok for you or do you want CLI output from the machine?

     

    Regards!

  • Wow,

    Thanks for labbing it up. That is more than enough. It behaves as I expected. Yes, it always tries to contact TACACS+ first before letting the command through. I think this is something most of us routinely configure without really considering the consequences.

    If a person already has an account than there are probably multiple ways in anyway but good info. Thanks Zool!

  • Ok got it!

    I logged ssh´d into the the router. The AAA config is this:

     

    aaa new-model
    aaa authentication login METHOD group tacacs+ local
    aaa authorization console
    aaa authorization config-commands
    aaa authorization exec default group tacacs+ local if-authenticated
    aaa authorization commands 15 default group tacacs+ if-authenticated
    aaa accounting commands 15 default
    aaa session-id common

     

    The router gets its routes from an upstream router via OSPF. I configured an ACL on the upstream router (ingress) that forbids tacacs+.

    Within the already open session I still could enter all commands. The only thing I recognized was that the commands take some time to get accepted, but I think this is normal behaviour because the router tries to authorize the commands against the tacacs. Then it realizes that its not working and lets the command succeed due tue the "if authenticated" statement.

    When I tried to start a new session I could not login (of course because the tacacs account did not work as the tacacs+ is not reachable).

     

    To make things complete I removed the "if-authenticated" statements and voila!  Then I could not enter any command even with the already open session.

    Is that OK for you or do you want CLI output.

     

    Regards!

  • Wow,

    Thanks for labbing it up. That is more than enough. It behaves as I expected. Yes, it always tries to contact TACACS+ first before letting the command through. I think this is something most of us routinely configure without really considering the consequences.

    If a person already has an account than there are probably multiple ways in anyway but good info. Thanks Zool!

     No prob. I am also a person who sometimes configures some things withhout REALLY knowing what it does, it costs a lot of brain to memorize everything :)-

  • Hi Daniel,

      AAA is complex, you cannot just take a conclusion on a scenario by using one command> if we take into consideration the following template, we can logically decide what will happen:

    aaa new-model
    aaa authentication login METHOD group tacacs+ local
    aaa authorization console
    aaa authorization config-commands
    aaa authorization exec default group tacacs+ local if-authenticated
    aaa authorization commands 15 default group tacacs+ if-authenticated
    aaa accounting commands 15 default

    1. Enable AAA
    2. Ask VTY lines authentication on AAA by querying declared global tacacs+ servers, if no answers use local user database, if no local users, VTY lines cannot be accessed
    3. Enable exec and command authorization at console (if these ar further enabled with aaa commands, which in this case are)
    4. Enable config mode command authorization
    5. Enable exec (known as # or privilege mode access) authorization by querying declared global tacacs+ servers, if no answers use local user database (for local user database, user needs to have the necessary privilege level configured); however if tacacs+ server does not respond but user has authenticated allow exec access(this is what if-authenticated allows for)
    6. Enable command authorization but only for commands which by default require privilege level 15, by querying tacacs+ servers, if no anaswer but user has been authenticated, authorize the command.

    If you remove the "if-authenticated" from "aaa authorization commands 15 default group tacacs+ if-authenticated " it means ONLY when tacacs servers are available and authorize commands can the user type privilege level 15 commands
    IF you remove the "if-authenticated" from "aaa authorization exec default group tacacs+ local if-authenticated " it means that once tacacs server is no longer available and a user was logegd in, it needs to open a new session and authenticated using local database, in order to be allowed access in #.

    I agree that there are many features/commands available, and it is normal to forget some things, but with a good approach on learning, where you logically learn and understand things, you will be able to remember much more, maybe all of it :), for a long time!

    Good luck with your studies!

  • Thank you Cristian,

    That is a nice example. I'm a bit worried that I won't know all features in the lab but that is what the DOCCD is for right? I do want to have done most of the stuff at least once though. I'm focusing mostly on Vol1 right now but doing a Vol2 every other week. Do you think this is a good strategy? Towards the end I will do only Vol2 and 4 and mock labs.

  • Hi Daniel,

      First of all be confident, it gives you 10% more chances to pass the exam! For not so important topics, you need to know at least the basic functionality and scope of the feature, so you understand by tasl requirements when it is asked of you, for configuring it need to know where to quickly find it. When is your lab date? Yes, focus mainly on Volume 1, if you do not have time to make all Volume 2 labs, pick a few with lower difficulty level, and few with higher difficulty level. Do not forget, most important, on doing some Mock Labs, you can choose the Mock Lab, select number 4 and one other!

       Take whatever everyone is saying in here and see which approach fits you better. For Volume 4, labs are ok, but it is more important, as i said in other posts, to take each technology and make notes on what makes it functional, so what breaks it; it will help you a lot in the TS section!

    Good luck with your studies!

  • Thanks Cristian!

    My lab is in the end of february. I will definately take a mock lab soon.

  • This must be the first clear explanation I found.

     

    To conclude:

    1)if-authenticated is an extension to tacacs/radius method?

    2)aaa authentication exec default group tacacs local if-authenticated versus aaa authentication exec default group tacacs if-authenticated local

    For this I've this experiment:

    aaa new-model

    username test priv 15 secret test

     

    aaa authentication login default local-case

    aaa authorization exec default if-authenticated

    >enable password required

    aaa authorization exec default if-authenticated local

    >enable password

    aaa authorization exec default local if-authenticated

    Apparently, the position of if-authenticated is important.

    If we want to achieve authorization in the following order

    1)by tacacs if alive

    2)by local username if tacacs was not alive a login time

    3)by'if-authenticated if the tacacs was alive at login phase, but became unreachable

    Thus aaa authentication exec default group tacacs local if-authenticated and not aaa authentication exec default group tacacs  if-authenticated local

    3) I'm not sure if the question of the TS has been answered.

    If a user X is authenticated by a TACACS server with attribute priv-lev 1 for example. The user X is authenticated while suddenly the TACACS servers become unreachable. Does this mean the user's privilege increases to level 15 (in combination with the if-authenticated key word)? 

    4) authorization method: 'none': What does it mean?

    I tried an example where a person was local authenticated with priv 15 but still had to give the enable password. Does it mean - do not authorize any level- use the default level of the line (con/vty/)

     

    Thank you

     

     

     

Sign In or Register to comment.