cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
19968
Views
0
Helpful
3
Replies

AAA if-authenticated

Dear community,

I try to get my head around the "if-authenticated" keyword at the end of the "aaa authorization exec" command.

 

My test config looks like this, and it does as expected:

username USER privilege 15 secret MYSECRET
aaa new-model
aaa authentication login default local

aaa authorization exec default local if-authenticated

OR

aaa authorization exec default local 

When loggin in with SSH, I get direcly in enable mode, as it should be.

However when using the following authorisation command, I enter in user exec mode instead of enable/privileged exec mode and need to provide the enable password:

aaa authorization exec default if-authenticated

I was expecting to end up in enable mode as well, since I should be authenticated? (hence I was able to log in).

 

Can someone clarify this?

 

 

3 Replies 3

Kanwaljeet Singh
Cisco Employee
Cisco Employee

Hi,

Please see the below thread for details:

https://supportforums.cisco.com/discussion/10781396/if-authenticated

Regards,

Kanwal

Note: Please mark answers if they are helpful.

mohanak
Cisco Employee
Cisco Employee

To allow users to have access to the functions they request as long as they have been authenticated, use the aaa authorization command with the if-authenticated method keyword. If you select this method, all requested functions are automatically granted to authenticated users.

The aaa authorization exec default group radius if-authenticated command configures the network access server to contact the RADIUS server to determine if users are permitted to start an EXEC shell when they log in. If an error occurs when the network access server contacts the RADIUS server, the fallback method is to permit the CLI to start, provided the user has been properly authenticated.

The RADIUS information returned may be used to specify an autocommand or a connection access list be applied to this connection.

http://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/scfathor.html

You need to execute this command in the lines ( cty, aux, vty ).

In your case you used default which will build your command in every line (aux, vty), the console need to be configured with the global command aaa  authorization console .

Go in every line (aux, vty, cty) and right the command authorization exec default so you can test if can access privilege

you  can also use privilege level 15 in the line mode ( but this way is not recommended because it will make all your database be privilege 15 )