question about AAA

The way i understood, if i have this configured for example:

aaa authentication login VTY enable
aaa authentication enable default enable
aaa authorization exec VTY group tacacs+ 

line vty 0 4

 authorization exec VTY
 login authentication VTY

1) user tries to telnet and needs to provide just enable password to log in.

2) Since there is no privilege level configured on vty lines, the user enters user exec mode.

3) Now when user tries to enter priv exec mode, router asks for enable password again

4) If the authentication is right, sohuldn't authorization fail, since there is no tacacs+ available (assume its unreachable)? In my case it doesnt fail it just enters with privilage 15. Then whats the difference between

aaa authorization exec VTY group tacacs+ 

aaa authorization exec VTY group tacacs+  if-authenticated ?

 

can someone clear this up for me

Comments

  • Hello jkdrouter-

    Here is what I believe would happen, based on the sample configuration shown:

    User telnets to the router, and the router prompts for a password only, due to the method list VTY on the vty lines, that specifies the enable secret is used for telnet access.

    After the user provides the enable secret, the router would then have a problem.   To provide authorization for an exec session, we need to have a username to supply.   Because no username was required for the login to the vty line, the authorization for the exec shell would fail, and the user would experience something like this:


    R1#telnet 1.1.1.1

    Trying 1.1.1.1 ... Open

     

     

    User Access Verification

     

    Password: [enable secret supplied here]

    % Authorization failed.

     

    [Connection to 1.1.1.1 closed by foreign host]

    R1#

     

    If we remove the authorization list from the vty lines, then at least the user could log in.

     

    Does that help?

     

    Keith


  • yes, thank you.

    that if-authenticated got me confused a little.

Sign In or Register to comment.