cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
25787
Views
68
Helpful
5
Replies

if-authenticated

Ahmed Shahzad
Level 1
Level 1

I have two queries:

1. With the given below configuraiton:
aaa new-model
aaa authentication login default  enable
aaa authentication enable default enable
Whenever user log in to NAS, it has to enter enable  password twice, one for login, and second for enable mode. What if I want that  user directly enters into enable mode using enable password or local  account?

2. What is the purpose of if-authenticated in aaa authorization methods. According to Cisco:

"The user is allowed to access the requested function, provided he has been  authenticated successfully."

What I believe that it is a default behavior that authorization would be given only if the user is already authenticated?

Thanks and Regards,
Shahzad.

5 Replies 5

Richard Burts
Hall of Fame
Hall of Fame

Shahzad

1) If you configure user ID and password in the local database of the router it is possible to have the user go directly to enable mode (only entering the password one time). To do this you can configure the privilege level 15 as one of the parameters for the user. It might look something like user rick priv 15 password mypassword

If you do not configure user ID in the local database it is still possible to have a user go directly to enable mode by configuring the privilege level under line vty and under line console.

2) I think that there is some confusion about the if-authenticated. You are quite correct that a user can not be authorized until they have been authenticated. But that is not the function of if-authenticated. Let me explain what it is for by discussing first what happens if you do not use if-authenticated. Let us assume that you are configuring a router and you configure something like this:

aaa authorization exec default group tacacs+

and let us assume that the other parts are configured correctly (including aaa authentication login) so that the router does communicate with the TACACS server. So when a user log in on the router, then after the user is authenticated the router will send an authorization request to TACACS. Only if TACACS sends the authorization successful response will the user be allowed to start an EXEC session. So far that works as expected and the user is successful.

Now let us assume that something happens to the link between the router and the TACACS server and that the router can not communicate with the TACACS server. Let us also assume that your aaa authentication login includes some backup method (perhaps the line password or perhaps as in your suggestion it is the enable password). So the user can be authenticated without the TACACS server. Now the user is authenticated and the router attempts to send the authorization request to the TACACS server. But the router can not communicate with the TACACS server so the user is not authorized. If the user is not authorized then the login is not successful.

Now let us assume that you have configured the authorization like this:

aaa authorization exec default group tacacs+ if-authenticated

(this is the same as before with the if-authenticated added). Now in the case where the router can not communicate with the TACACS server the router will authenticate the user and then the router will say the user is authorized (because he was previously authenticated) and the user login is successful.

This is the main purpose and advantage of if-authenticated in the authorization command.

HTH

Rick

HTH

Rick

Hi Rick,

Thank you very much for your time and detailed reply.

1) I made the following configuration on router (GNS3), but it is not login directly in enable mode:

aaa new-model
aaa authentication login default  local
username cisco privilege 15 password 0 cisco123
line vty 0  4
privilege level 15
2) If the router is not able to communicate with the TACACS+ Server then what sort of authorization would be given by router? Means privilege level, commands etc.
Thanks and Regards,
Ahmed Shahzad.

Shahzad

I am not sure why it is not logging directly into enable mode. I wonder if there is something about GNS3?

The config that you have posted will not communicate with TACACS. So your question 2) makes little sense. With the config that you posted the router will authorize anything that the user attempts to do.

HTH

Rick

HTH

Rick

Thanks Rick,

Thank you very much for your reply.

1) It is working now with the following configuration.

username cisco password 0 cisco
aaa new-model
aaa authentication login default local
line con 0
privilege level 15
This is putting every user in privilege mode, however if I would like that some user go directly into enable mode while some not, then?
2) Second question is not related to first. I need the correct understanding on if-authenticated keyword.
Thanks and Regards,
Shahzad.

harkirats
Level 1
Level 1

Actually, this is a pretty common issue, and very poorly documented. I would explain this as follows:

The command 'username user7 privilege 7 password pass7', can be seen as two seperate commands:
        1st Command for authentication: username user7 password pass7
        2nd Command for authorization: username user7 privilege 7

To enforce authentication, you need to use the 'aaa authentication' command. Similarly, to enforce authorization, you need to use the 'aaa authorization' command.

If you do not enter the 'aaa authorization' command, all local users, regardless of their configured priv levels, start off with priv1. You can verify this using the IOS-XE 'show priv' command. It is only after 'aaa authorization' is configured, that the priv levels configured for local users starts to take effect.

Thus, the config should look something like the following:

aaa new-model
aaa authentication login default local
aaa authorization exec default local !--- This is the missing bit in your config
aaa authorization console

HTH