Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1780
Views
1
Helpful
4
Replies

aaa authentication enable/authorization exec

CARLO CIANFARANI
Level 1
Level 1

‎11-26-2012 06:24 AM - edited ‎03-07-2019 10:14 AM

Hi,

I've a doubt about the behaviour of the following commands:

aaa new-model

!

aaa authentication enable default group tacacs+ enable

!

aaa authorization exec default group tacacs+ local

the first (authentication enable) defines the authentication method list the router has to use when the (logged in) user type 'enable' at CLI (here group radius and the local configured enable password)

the second one specify the authorization method required to 'spawn' an exec CLI (to bring the logged in user into privileged exec mode)

If that is correct....what is the different (from a user point of view) between them ?

Regards, Carlo

Labels:
4 Replies 4

Gabriel Hill
Level 1
Level 1

‎11-26-2012 07:57 AM

If you had AAA configured on a device using a TACACS server. In the TACACS your user account was configured with an default privilege of "15". Having the "aaa authorization exec default group tacacs+ local" command should put you automatically in "enable" mode, as the device would get your authorization privilege from tacacs.

I think it could be put this way: aaa authorization exe configures you for your "default" privilege when logging into the device. aaa authentication enable will allow you to authenticate to a higher privilege (Your Maximum Privilege).

.


0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to Gabriel Hill

‎11-26-2012 08:16 AM

Carlo

From a user perspective the difference between authentication and authorization is that authentication has to do with determining who the person is and frequently requires entry of a password or some other credential as part of proving that you are who you claim to be. Authorization has to do with what you can do (and possibly what privilege level). To a user the most obvious difference is that Authorization does not use a password while Authentication does use a password.

HTH

Rick

HTH

Rick
0 Helpful

CARLO CIANFARANI
Level 1
Level 1
In response to Richard Burts

‎11-27-2012 01:26 AM

Thanks for answers....

About this configuration:

aaa new-model

!

username carlo privilege 2 password 0 cisco

!

aaa authorization exec default none

Here I believe there is NO authorization requirement to allow the user to access (exec) shell....but what about the (initial) privilege level assigned to this user when shell is spawned ?

I've done a simple test for it and when the user log in this is the outcome

R1#tel 192.168.0.3

Trying 192.168.0.3 ... Open

User Access Verification

Username: carlo

Password:

R3>sh privilege

Current privilege level is 1 <-------------------

Here the current user privilege is 1 while the privilege level configured at username level (

username carlo privilege 2 password 0 cisco) is 2

Is that the expected behaviour ?

0 Helpful

Gabriel Hill
Level 1
Level 1
In response to CARLO CIANFARANI

‎11-27-2012 05:36 AM

I believe that is correct.

If you added aaa authorization exec default local

Then you should see the privilege goto "2" when logged in.


0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card