11-26-2012 06:24 AM - edited 03-07-2019 10:14 AM
Hi,
I've a doubt about the behaviour of the following commands:
aaa new-model
!
aaa authentication enable default group tacacs+ enable
!
aaa authorization exec default group tacacs+ local
the first (authentication enable) defines the authentication method list the router has to use when the (logged in) user type 'enable' at CLI (here group radius and the local configured enable password)
the second one specify the authorization method required to 'spawn' an exec CLI (to bring the logged in user into privileged exec mode)
If that is correct....what is the different (from a user point of view) between them ?
Regards, Carlo
11-26-2012 07:57 AM
If you had AAA configured on a device using a TACACS server. In the TACACS your user account was configured with an default privilege of "15". Having the "aaa authorization exec default group tacacs+ local" command should put you automatically in "enable" mode, as the device would get your authorization privilege from tacacs.
I think it could be put this way: aaa authorization exe configures you for your "default" privilege when logging into the device. aaa authentication enable will allow you to authenticate to a higher privilege (Your Maximum Privilege).
.
11-26-2012 08:16 AM
Carlo
From a user perspective the difference between authentication and authorization is that authentication has to do with determining who the person is and frequently requires entry of a password or some other credential as part of proving that you are who you claim to be. Authorization has to do with what you can do (and possibly what privilege level). To a user the most obvious difference is that Authorization does not use a password while Authentication does use a password.
HTH
Rick
11-27-2012 01:26 AM
Thanks for answers....
About this configuration:
aaa new-model
!
username carlo privilege 2 password 0 cisco
!
aaa authorization exec default none
Here I believe there is NO authorization requirement to allow the user to access (exec) shell....but what about the (initial) privilege level assigned to this user when shell is spawned ?
I've done a simple test for it and when the user log in this is the outcome
R1#tel 192.168.0.3
Trying 192.168.0.3 ... Open
User Access Verification
Username: carlo
Password:
R3>sh privilege
Current privilege level is 1 <-------------------
Here the current user privilege is 1 while the privilege level configured at username level (
username carlo privilege 2 password 0 cisco) is 2
Is that the expected behaviour ?
11-27-2012 05:36 AM
I believe that is correct.
If you added aaa authorization exec default local
Then you should see the privilege goto "2" when logged in.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide