Solved: Re: AS5300 - authorization without Authentication

rm.moreau · ‎03-17-2011

Hi,

I would like to send aaa authorization requests to an external Radius server.

However it seems that an authentication step is mandatory before to process the authorization.

When I use "none" authentication on a line configuration (see below), the AS5300 doesn't even send any request to the radius server. The authorization process immediatly provide FAILURE status..

aaa new-model

aaa authentication login LOGINTTY none
aaa authorization exec LOGINTTY group radius
aaa session-id common

line 1 120

login authentication LOGINTTY

authorization exec LOGINTTY

But if I configure an authentication step ( local, or radius, or line ... ), then the authorization is correctly processed after authentication success.

Is it not possible to configure aaa authorization without being asked a username/password on AS5300 ?

Thank you for your help.

Regards

RM

andamani · ‎03-17-2011

Hi,

Authentication is a must step before authorization.

Radius does not have seperate processes for authentication and authorization. it is all a part of same packet.

Hence authentication is must for authorization to happen.

hope that helps.

Regards,

Anisha

P.S.: please mark this thread as answered if you feel query is resolved. Do rate helpful posts.

View solution in original post

andamani · ‎03-17-2011

Hi,

Authentication is a must step before authorization.

Radius does not have seperate processes for authentication and authorization. it is all a part of same packet.

Hence authentication is must for authorization to happen.

hope that helps.

Regards,

Anisha

P.S.: please mark this thread as answered if you feel query is resolved. Do rate helpful posts.

rm.moreau · ‎03-17-2011

ThankYou Anisha.

This confirms the idea I had.

However I have been explained that this configuration was working on a Cisco 3640, and stopped working after it has been change to an AS5300.

But I cannot confirm this.

Is that possible that the AS5300 don't ask for username/password to remote user at authentication step, and provides kind of generic username/password to the radius server ?

Thank you

RM

aneelaka · ‎03-17-2011

Dear Valued Cisco Customer,

I will be out of the office from 03/20/2010 until 04/04/2010. During

this time, I will have no access to email or voicemail. If you require

assistance during my absence, please contact Manivannan Srinivasan via

phone at 469-255-4806 or via email at mansrini@cisco.com and this

engineer will continue to work any immediate concerns you may have at

this time. If this issue can wait until my return on 04/05/2010, I will

be glad to continue working with you. If you require assistance outside

of our business hours (10:00am - 7:00pm CST), please contact the TAC by

calling 1800-553-2447 or email tac@cisco.com and request to have the

service request re-assigned.

Best Regards,

Abhishek Neelakanata

andamani · ‎03-17-2011

Hi,

Authorization will not work w/o authentication.

If you configure the authentication for radius then the radius authentication will take place from the radius database.

Hope this helps.

Regards,

Anisha

- do rate helpful posts.

aneelaka · ‎03-17-2011