topic Re: What is the difference between authorisation if-authenticate in Network Access Control

What is the difference between authorisation if-authenticated and none

ipotts — Fri, 21 Feb 2020 18:04:54 GMT

Hello,

I am working on a AAA configuration, and can't determine the practical difference between authorisation none and authorisation if-authenticated.

I realise the obvious difference, that if TACACS is down, with none there is no authorisation if none is used; and if TACACS is down authorisation will allow all commands if if-authenticated is used.

However, since you must always be authenticated, before authorisation commences, in practical terms, there is no difference that I can see between if-authenticated and none? Can anyone please explain if there is a practical difference between them.

#####################Authorisation if-authenticated#############

aaa authorization exec default group tacacs+ if-authenticated

aaa authorization commands 1 default group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ if-authenticated

#####################Authorisation none##################

aaa authorization exec default group tacacs+ none

aaa authorization commands 1 default group tacacs+ none

aaa authorization commands 15 default group tacacs+ none

Many Thanks

Ian Potts

Re: What is the difference between authorisation if-authenticate

bwalchez — Thu, 07 Nov 2002 16:29:06 GMT

If you want to configure a setup where a user is allowed access to the requested function, if they have been authenticated previously, use the if-authenticated method keyword. With this method in place, authenticated users are allowed access to all requested function.

There may be instances where you might not want to run authorization from a particular interface or line. To disable authorization for all actions associated with a particular type of authentication, use the none method keyword. The network access server does not request authorization information and authorization is not performed over this line/interface

You could also refer to the document on Configuring Authorization available at the URL:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/secur_c/scprt1/scathor.htm

Re: What is the difference between authorisation if-authenticate

ipotts — Thu, 07 Nov 2002 16:46:22 GMT

Thank you for your reply. I may not have explained by question clearly. I have read the CCO documentation multiple times, but it does not answer my question.

My question is basically that a user is always authenticated. Therefore using authorization methods of none or if-authenticated are identical.

Re: What is the difference between authorisation if-authenticate

4brown — Thu, 07 Nov 2002 17:29:23 GMT

One use I can think of is where you have both AAA and local configured for exec or command authorization. Let's say TACACS+ in the following manner:

aaa new-model

aaa authentication login default tacacs+ local

aaa authorization exec default tacacs+ if-authenticated

username admin password

If you had this configuration without the "if-authenticated" statement and the connection to the TAC+ server goes down or you receive an ERROR in communicating with it such as a mismatched key, then it goes to local for authentication. If you did not want to use local authorization and want it to succeed exec authorization for this local account, then the "if-authenticated" statement would be needed.

Check out the debugs with:

aaa new-model

aaa authentication login default tacacs+ local

aaa authorization exec default tacacs+ local

AND the TAC+ server is down

6d21h: AAA/AUTHOR/EXEC (4150549846): Port='tty2' list='' service=EXEC

6d21h: AAA/AUTHOR/EXEC: (4150549846) user='admin'

6d21h: AAA/AUTHOR/EXEC: (4150549846) send AV service=shell

6d21h: AAA/AUTHOR/EXEC: (4150549846) send AV cmd*

6d21h: AAA/AUTHOR/EXEC (4150549846) found list "default"

6d21h: AAA/AUTHOR/EXEC: (4150549846) Method=TACACS+

6d21h: AAA/AUTHOR/TAC+: (4150549846): user=admin

6d21h: AAA/AUTHOR/TAC+: (4150549846): send AV service=shell

6d21h: AAA/AUTHOR/TAC+: (4150549846): send AV cmd*

core7200-4#

6d21h: AAA/AUTHOR (4150549846): Post authorization status = ERROR

6d21h: AAA/AUTHOR/EXEC: (4150549846) Method=NOT_SET

6d21h: AAA/AUTHOR/EXEC: (4150549846) no methods left to try

6d21h: AAA/AUTHOR (4150549846): Post authorization status = FAIL

6d21h: AAA/AUTHOR/EXEC: Authorization FAILED

NOTE, Post authorization fails because there is no method set for EXEC for the local user. Now, put in "if-authenticated" and test again:

aaa new-model

aaa authentication login default tacacs+ local

aaa authorization exec default tacacs+ if-authenticated

6d22h: AAA/AUTHOR/EXEC (2893174055): Port='tty2' list='' service=EXEC

6d22h: AAA/AUTHOR/EXEC: (2893174055) user='admin'

6d22h: AAA/AUTHOR/EXEC: (2893174055) send AV service=shell

6d22h: AAA/AUTHOR/EXEC: (2893174055) send AV cmd*

6d22h: AAA/AUTHOR/EXEC (2893174055) found list "default"

6d22h: AAA/AUTHOR/EXEC: (2893174055) Method=TACACS+

6d22h: AAA/AUTHOR/TAC+: (2893174055): user=admin

6d22h: AAA/AUTHOR/TAC+: (2893174055): send AV service=shell

6d22h: AAA/AUTHOR/TAC+: (2893174055): send AV cmd*

6d22h: AAA/AUTHOR (2893174055): Post authorization status = ERROR

6d22h: AAA/AUTHOR/EXEC: (2893174055) Method=IF_AUTHEN

6d22h: AAA/AUTHOR (2893174055): Post authorization status = PASS_ADD

6d22h: AAA/AUTHOR/EXEC: Authorization successful

Note, the Post authorization passes because of IF_AUTHEN.

See the behavior?

Hope this helps.

Re: What is the difference between authorisation if-authenticate

ipotts — Fri, 08 Nov 2002 11:24:58 GMT

Hi,

Thanks very much for your detailed work. I can see the difference in your traces but my real interest is in the different behaviour between if-authenticated and none, not if-authenticated and local. Since all users are authenticated, there appears to me, no difference between an authorization method of none, and one of if-authenticated.

Many Thanks

Ian

What is the difference between authorisation if-authenticated an

networkguy13111 — Wed, 08 May 2013 00:21:25 GMT

Hi Ian,

There is no much difference IMO as normally people will use "enable" as fallback authentication motheod, which means a user can always be authenticated when loss of Tacacs servers.

Actually I find on some IOS the devices doesn't support "none" keyword at all, while on some other IOS the "if-authenticated" doesn't work.

I think Cisco dev just screwed this by complicating the fallback methods.

Which can win the race: increasing bandwidth with new technologies VS QoS?

Re: What is the difference between authorisation if-authenticate

jpflory01 — Fri, 17 Sep 2021 16:58:55 GMT

authorization methods of none or if-authenticated ---

If you go "authorization none" you are basically stating that any person that authenticates has all privileges to do everything.

if you go if-authenticated, then you are allowed to have the privileges granted by authorization without checking the remote tacacs server for each command that you enter to see if its authorized.

if you go authoritzation methods group tacacs: then each command will be require an answer from the tacacs server as to whether or not the command is authorized to the user. This can actually create quite a noticeable lag on WAN links. Think about each command before executed has to be communicated with tacacs server and then responded to before the command will 'take" and then execute.

Therefore the if-authenticated go ahead an authorize at his login level is preferred, and

if you are not running a varied privledge level environment then authrorization method none becomes a very good option.