I’m doing the security section of Vol1 right now and this is something I think people might have confused. Look at the following configuration:
! Scenario 1
aaa authentication login default group tacacs+ none
aaa authorization exec default none
!
line console 0
privilege level 15
! Scenario 2
aaa authentication login default group tacacs+ none
aaa authorization exec default if-authenticated
!
line console 0
privilege level 15
Assume that the Tacacs+ servers are unavailable. What will be the result and what is the difference between scenario 1 and 2? Post your answer in comments.
Quiz – AAA authorization
			
				
Not got round to the security section yet but IIRC ‘if-authenticated’ means that if you have authenticated (TACACS/Radius) then you can continue to use commands without further authorisation.
If the TACACS server is down both configs will let you get onto them because they will failover to the ‘none’ option. Once you are logged in however you will hit a brick wall with Scenario 2 because you won’t have authenticated and therefore will not be allowed to execute any commands, Scenario 1 on the other hand will let you do anything.
Spot on David. Using the first configuration would allow someone to just login and have their way 🙂 Something I really like with doing the labs is that you pick up small things and tricks that could be useful. You almost always learn something new. It also helps to solidify concepts like what ports do different protocols use, how do they behave etc.
Yeah, you have those “why would anyone use this” scenarios that you would never see in a live environment.
If there is ever a feature that is dug deep down in the DOC-CD that you’ve never used you better be ready for it to spring up in the lab 😛
no authorization without authentication.
This was always my bane – Security and Redistribution. Gonna have to make sure I spend a lot of time on these two to get them mastered.
Redistribution takes some time before you get it but then you get that Aha moment. Just need to keep practicing it. I did a redistribution scenario on the blog. Try it out and see if you like it 🙂 I’m doing the security labs now.