Re: Is using Default redundant in aaa commands?

enzo80 · ‎12-02-2021

for example i have this template:

aaa authentication login VTY group ISE_TACACS local
aaa authorization config-commands
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization exec VTY group ISE_TACACS local if-authenticated
aaa authorization commands 1 default group ISE_TACACS if-authenticated
aaa authorization commands 1 VTY group ISE_TACACS local if-authenticated
aaa authorization commands 15 default group ISE_TACACS if-authenticated
aaa authorization commands 15 VTY group ISE_TACACS local if-authenticated
aaa accounting update periodic 5
aaa accounting exec default start-stop group ISE_TACACS
aaa accounting commands 1 default start-stop group ISE_TACACS
aaa accounting commands 1 VTY start-stop group ISE_TACACS
aaa accounting commands 15 default start-stop group ISE_TACACS
aaa accounting commands 15 VTY start-stop group ISE_TACACS

line vty 0 4
authorization commands 1 VTY
authorization commands 15 VTY
authorization exec VTY
login authentication VTY
logging synchronous
transport input ssh

========================================================

from my understanding default is applied to all lines if nothing under VTY line, whats the difference between these

two

aaa authorization exec default group tacacs+ if-authenticated : does this command check the ISE_TACACS group also?

what plain tacacs+ means
aaa authorization exec VTY group ISE_TACACS local if-authenticated

Arne Bier · ‎12-08-2021

In your case the default is redundant because you have a method list called "VTY" that is explicitly configured under the vty line 0 4

And the "group tacacs+" is also a more generic syntaxt that is not recommended when you want to be more specific about the exact TACACS+ group that you have defined (i.e. ISE_TACACS). The "group tacacs+" is convenient in some cases because it's relaxed (and lazy) and somewhat futureproof if you changed the group name. But I tend to use the Group Name for TACACS+ and RADIUS.