03-17-2011 06:39 AM - edited 03-10-2019 05:55 PM
Hi,
I would like to send aaa authorization requests to an external Radius server.
However it seems that an authentication step is mandatory before to process the authorization.
When I use "none" authentication on a line configuration (see below), the AS5300 doesn't even send any request to the radius server. The authorization process immediatly provide FAILURE status..
aaa new-model
aaa authentication login LOGINTTY none
aaa authorization exec LOGINTTY group radius
aaa session-id common
line 1 120
login authentication LOGINTTY
authorization exec LOGINTTY
But if I configure an authentication step ( local, or radius, or line ... ), then the authorization is correctly processed after authentication success.
Is it not possible to configure aaa authorization without being asked a username/password on AS5300 ?
Thank you for your help.
Regards
RM
Solved! Go to Solution.
03-17-2011 07:29 AM
Hi,
Authentication is a must step before authorization.
Radius does not have seperate processes for authentication and authorization. it is all a part of same packet.
Hence authentication is must for authorization to happen.
hope that helps.
Regards,
Anisha
P.S.: please mark this thread as answered if you feel query is resolved. Do rate helpful posts.
03-17-2011 07:29 AM
Hi,
Authentication is a must step before authorization.
Radius does not have seperate processes for authentication and authorization. it is all a part of same packet.
Hence authentication is must for authorization to happen.
hope that helps.
Regards,
Anisha
P.S.: please mark this thread as answered if you feel query is resolved. Do rate helpful posts.
03-17-2011 08:11 AM
ThankYou Anisha.
This confirms the idea I had.
However I have been explained that this configuration was working on a Cisco 3640, and stopped working after it has been change to an AS5300.
But I cannot confirm this.
Is that possible that the AS5300 don't ask for username/password to remote user at authentication step, and provides kind of generic username/password to the radius server ?
Thank you
RM
03-17-2011 08:28 AM
Dear Valued Cisco Customer,
I will be out of the office from 03/20/2010 until 04/04/2010. During
this time, I will have no access to email or voicemail. If you require
assistance during my absence, please contact Manivannan Srinivasan via
phone at 469-255-4806 or via email at mansrini@cisco.com and this
engineer will continue to work any immediate concerns you may have at
this time. If this issue can wait until my return on 04/05/2010, I will
be glad to continue working with you. If you require assistance outside
of our business hours (10:00am - 7:00pm CST), please contact the TAC by
calling 1800-553-2447 or email tac@cisco.com and request to have the
service request re-assigned.
Best Regards,
Abhishek Neelakanata
03-17-2011 09:01 AM
Hi,
Authorization will not work w/o authentication.
If you configure the authentication for radius then the radius authentication will take place from the radius database.
Hope this helps.
Regards,
Anisha
- do rate helpful posts.
03-17-2011 10:10 AM
Dear Valued Cisco Customer,
I will be out of the office from 03/20/2010 until 04/04/2010. During
this time, I will have no access to email or voicemail. If you require
assistance during my absence, please contact Manivannan Srinivasan via
phone at 469-255-4806 or via email at mansrini@cisco.com and this
engineer will continue to work any immediate concerns you may have at
this time. If this issue can wait until my return on 04/05/2010, I will
be glad to continue working with you. If you require assistance outside
of our business hours (10:00am - 7:00pm CST), please contact the TAC by
calling 1800-553-2447 or email tac@cisco.com and request to have the
service request re-assigned.
Best Regards,
Abhishek Neelakanata
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: