I’m doing the security section of Vol1 right now and this is something I think people might have confused. Look at the following configuration:

! Scenario 1
aaa authentication login default group tacacs+ none
aaa authorization exec default none
!
line console 0
privilege level 15
! Scenario 2
aaa authentication login default group tacacs+ none
aaa authorization exec default if-authenticated
!
line console 0
privilege level 15

Assume that the Tacacs+ servers are unavailable. What will be the result and what is the difference between scenario 1 and 2? Post your answer in comments.

Quiz – AAA authorization
Tagged on:             

6 thoughts on “Quiz – AAA authorization

  • December 18, 2011 at 11:46 pm
    Permalink

    Not got round to the security section yet but IIRC ‘if-authenticated’ means that if you have authenticated (TACACS/Radius) then you can continue to use commands without further authorisation.

    If the TACACS server is down both configs will let you get onto them because they will failover to the ‘none’ option. Once you are logged in however you will hit a brick wall with Scenario 2 because you won’t have authenticated and therefore will not be allowed to execute any commands, Scenario 1 on the other hand will let you do anything.

    Reply
    • December 19, 2011 at 12:53 am
      Permalink

      Spot on David. Using the first configuration would allow someone to just login and have their way 🙂 Something I really like with doing the labs is that you pick up small things and tricks that could be useful. You almost always learn something new. It also helps to solidify concepts like what ports do different protocols use, how do they behave etc.

      Reply
      • December 19, 2011 at 1:19 am
        Permalink

        Yeah, you have those “why would anyone use this” scenarios that you would never see in a live environment.

        If there is ever a feature that is dug deep down in the DOC-CD that you’ve never used you better be ready for it to spring up in the lab 😛

        Reply
  • December 19, 2011 at 1:19 am
    Permalink

    no authorization without authentication.

    Reply
  • December 21, 2011 at 7:06 pm
    Permalink

    This was always my bane – Security and Redistribution. Gonna have to make sure I spend a lot of time on these two to get them mastered.

    Reply
    • December 21, 2011 at 8:55 pm
      Permalink

      Redistribution takes some time before you get it but then you get that Aha moment. Just need to keep practicing it. I did a redistribution scenario on the blog. Try it out and see if you like it 🙂 I’m doing the security labs now.

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *