topic Hi,Please see the below in Network Access Control

AAA if-authenticated

Bram Van den Bosch — Mon, 11 Mar 2019 05:20:49 GMT

Dear community,

I try to get my head around the "if-authenticated" keyword at the end of the "aaa authorization exec" command.

My test config looks like this, and it does as expected:

username USER privilege 15 secret MYSECRET
aaa new-model
aaa authentication login default local

aaa authorization exec default local if-authenticated

aaa authorization exec default local

When loggin in with SSH, I get direcly in enable mode, as it should be.

However when using the following authorisation command, I enter in user exec mode instead of enable/privileged exec mode and need to provide the enable password:

aaa authorization exec default if-authenticated

I was expecting to end up in enable mode as well, since I should be authenticated? (hence I was able to log in).

Can someone clarify this?

Hi,Please see the below

Kanwaljeet Singh — Tue, 13 Jan 2015 15:27:55 GMT

Hi,

Please see the below thread for details:

https://supportforums.cisco.com/discussion/10781396/if-authenticated

Regards,

Kanwal

Note: Please mark answers if they are helpful.

To allow users to have access

mohanak — Fri, 16 Jan 2015 13:45:03 GMT

To allow users to have access to the functions they request as long as they have been authenticated, use the aaa authorization command with the if-authenticated method keyword. If you select this method, all requested functions are automatically granted to authenticated users.

The aaa authorization exec default group radius if-authenticated command configures the network access server to contact the RADIUS server to determine if users are permitted to start an EXEC shell when they log in. If an error occurs when the network access server contacts the RADIUS server, the fallback method is to permit the CLI to start, provided the user has been properly authenticated.

The RADIUS information returned may be used to specify an autocommand or a connection access list be applied to this connection.

http://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/scfathor.html

Re: AAA if-authenticated

mohammadyousri819 — Wed, 15 Mar 2023 04:25:39 GMT

You need to execute this command in the lines ( cty, aux, vty ).

In your case you used default which will build your command in every line (aux, vty), the console need to be configured with the global command aaa authorization console .

Go in every line (aux, vty, cty) and right the command authorization exec default so you can test if can access privilege

you can also use privilege level 15 in the line mode ( but this way is not recommended because it will make all your database be privilege 15 )