11-22-2009 09:02 PM - edited 03-10-2019 04:48 PM
11-23-2009 09:55 PM
Shahzad
1) If you configure user ID and password in the local database of the router it is possible to have the user go directly to enable mode (only entering the password one time). To do this you can configure the privilege level 15 as one of the parameters for the user. It might look something like user rick priv 15 password mypassword
If you do not configure user ID in the local database it is still possible to have a user go directly to enable mode by configuring the privilege level under line vty and under line console.
2) I think that there is some confusion about the if-authenticated. You are quite correct that a user can not be authorized until they have been authenticated. But that is not the function of if-authenticated. Let me explain what it is for by discussing first what happens if you do not use if-authenticated. Let us assume that you are configuring a router and you configure something like this:
aaa authorization exec default group tacacs+
and let us assume that the other parts are configured correctly (including aaa authentication login) so that the router does communicate with the TACACS server. So when a user log in on the router, then after the user is authenticated the router will send an authorization request to TACACS. Only if TACACS sends the authorization successful response will the user be allowed to start an EXEC session. So far that works as expected and the user is successful.
Now let us assume that something happens to the link between the router and the TACACS server and that the router can not communicate with the TACACS server. Let us also assume that your aaa authentication login includes some backup method (perhaps the line password or perhaps as in your suggestion it is the enable password). So the user can be authenticated without the TACACS server. Now the user is authenticated and the router attempts to send the authorization request to the TACACS server. But the router can not communicate with the TACACS server so the user is not authorized. If the user is not authorized then the login is not successful.
Now let us assume that you have configured the authorization like this:
aaa authorization exec default group tacacs+ if-authenticated
(this is the same as before with the if-authenticated added). Now in the case where the router can not communicate with the TACACS server the router will authenticate the user and then the router will say the user is authorized (because he was previously authenticated) and the user login is successful.
This is the main purpose and advantage of if-authenticated in the authorization command.
HTH
Rick
11-24-2009 02:26 AM
Hi Rick,
Thank you very much for your time and detailed reply.
1) I made the following configuration on router (GNS3), but it is not login directly in enable mode:
11-24-2009 09:01 AM
Shahzad
I am not sure why it is not logging directly into enable mode. I wonder if there is something about GNS3?
The config that you have posted will not communicate with TACACS. So your question 2) makes little sense. With the config that you posted the router will authorize anything that the user attempts to do.
HTH
Rick
11-24-2009 02:16 PM
Thanks Rick,
Thank you very much for your reply.
1) It is working now with the following configuration.
05-08-2023 05:23 PM
Actually, this is a pretty common issue, and very poorly documented. I would explain this as follows:
The command 'username user7 privilege 7 password pass7', can be seen as two seperate commands:
1st Command for authentication: username user7 password pass7
2nd Command for authorization: username user7 privilege 7
To enforce authentication, you need to use the 'aaa authentication' command. Similarly, to enforce authorization, you need to use the 'aaa authorization' command.
If you do not enter the 'aaa authorization' command, all local users, regardless of their configured priv levels, start off with priv1. You can verify this using the IOS-XE 'show priv' command. It is only after 'aaa authorization' is configured, that the priv levels configured for local users starts to take effect.
Thus, the config should look something like the following:
aaa new-model
aaa authentication login default local
aaa authorization exec default local !--- This is the missing bit in your config
aaa authorization console
HTH
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide