03-13-2008 05:05 PM - edited 03-10-2019 03:43 PM
Can some one explain in detail on these commands.
aaa authentication enable default group ACS enable
aaa authorization exec default group ACS if-authenticated
03-14-2008 05:34 AM
---> aaa authentication enable default group ACS enable
Authentication request will first go to acs and if there is no reply from acs, device will fallback and will ask for enable password.
----> aaa authorization exec default group ACS if-authenticated
Again device will check authorization status from acs and if there is no reply it will fallback "if-authenticated" and let the user in with the condition that user should be authenticated.
If you use 'if-authenticated' any authentication method (line, local, etc.) will allow for successful authorization. However, if the TACACS+ server goes down during a session, all author will fail until a new authen occurs (log out and log back in). This allows for an extra security measure so that a user with low privileges cannot suddenly run any command if the AAA server goes down. They must have access to the backup authen method.
Regards,
~JG
Do rate helpful posts
03-14-2008 06:36 PM
In first command does the request goes to ACS on enable access then falls back to device enable passwd?
03-15-2008 07:27 AM
Aksher
Yes in the first command when the user enters the enable command the request first goes to ACS and if ACS returns an "error" response or does not respond at all then it will fall back to the device enable password (or enable secret).
HTH
Rick
03-18-2008 10:53 AM
Thanks for the answer ! Does it differ on Firewalls? say i have
aaa authentication telnet console ACS LOCAL
to login and
aaa authentication enable console ACS LOCAL
to enter in to enable mode.Here i always enter in to level 1 priv and then to level 15 after giving en/password.Where as in prev. one i can directly enter in to priv 15 on router.FYI, i ve prov. 15 definned on ACS for both.
03-18-2008 02:23 PM
Unfortunately that is not possible, as ASA does not support Exec Authorization.
Regards,
~JG
Do rate helpful posts
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide