01-13-2015 06:27 AM - edited 03-10-2019 10:20 PM
Dear community,
I try to get my head around the "if-authenticated" keyword at the end of the "aaa authorization exec" command.
My test config looks like this, and it does as expected:
username USER privilege 15 secret MYSECRET aaa new-model aaa authentication login default local aaa authorization exec default local if-authenticated
OR
aaa authorization exec default local
When loggin in with SSH, I get direcly in enable mode, as it should be.
However when using the following authorisation command, I enter in user exec mode instead of enable/privileged exec mode and need to provide the enable password:
aaa authorization exec default if-authenticated
I was expecting to end up in enable mode as well, since I should be authenticated? (hence I was able to log in).
Can someone clarify this?
01-13-2015 07:27 AM
Hi,
Please see the below thread for details:
https://supportforums.cisco.com/discussion/10781396/if-authenticated
Regards,
Kanwal
Note: Please mark answers if they are helpful.
01-16-2015 05:45 AM
To allow users to have access to the functions they request as long as they have been authenticated, use the aaa authorization command with the if-authenticated method keyword. If you select this method, all requested functions are automatically granted to authenticated users.
The aaa authorization exec default group radius if-authenticated command configures the network access server to contact the RADIUS server to determine if users are permitted to start an EXEC shell when they log in. If an error occurs when the network access server contacts the RADIUS server, the fallback method is to permit the CLI to start, provided the user has been properly authenticated.
The RADIUS information returned may be used to specify an autocommand or a connection access list be applied to this connection.
http://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/scfathor.html
03-14-2023 09:25 PM
You need to execute this command in the lines ( cty, aux, vty ).
In your case you used default which will build your command in every line (aux, vty), the console need to be configured with the global command aaa authorization console .
Go in every line (aux, vty, cty) and right the command authorization exec default so you can test if can access privilege
you can also use privilege level 15 in the line mode ( but this way is not recommended because it will make all your database be privilege 15 )
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide