cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Community Helping Community

804
Views
0
Helpful
4
Replies

aaa authentication enable/authorization exec

Hi,

I've a doubt about the behaviour of the following commands:

aaa new-model

!

aaa authentication enable default group tacacs+ enable

!

aaa authorization exec default group tacacs+ local

the first (authentication enable) defines the authentication method list the router has to use when the (logged in) user type 'enable' at CLI (here group radius and the local configured enable password)

the second one specify the authorization method required to 'spawn' an exec CLI (to bring the logged in user into privileged exec mode)

If that is correct....what is the different (from a user point of view) between them ?

Regards, Carlo

4 REPLIES 4
Beginner

Re: aaa authentication enable/authorization exec

If you had AAA configured on a device using a TACACS server. In the TACACS your user account was configured with an default privilege of "15". Having the "aaa authorization exec default group tacacs+ local" command should put you automatically in "enable" mode, as the device would get your authorization privilege from tacacs.

I think it could be put this way: aaa authorization exe configures you for your "default" privilege when logging into the device. aaa authentication enable will allow you to authenticate to a higher privilege (Your Maximum Privilege).

.


Hall of Fame Master

aaa authentication enable/authorization exec

Carlo

From a user perspective the difference between authentication and authorization is that authentication has to do with determining who the person is and frequently requires entry of a password or some other credential as part of proving that you are who you claim to be. Authorization has to do with what you can do (and possibly what privilege level). To a user the most obvious difference is that Authorization does not use a password while Authentication does use a password.

HTH

Rick

If you found this post helpful, please let the community know by clicking the helpful button!
By doing so, and until end of January, you are helping Doctors Without Borders
Highlighted

Re: aaa authentication enable/authorization exec

Thanks for answers....

About this configuration:

aaa new-model

!

username carlo privilege 2 password 0 cisco

!

aaa authorization exec default none

Here I believe there is NO authorization requirement to allow the user to access (exec) shell....but what about the (initial) privilege level assigned to this user when shell is spawned ?

I've done a simple test for it and when the user log in this is the outcome

R1#tel 192.168.0.3

Trying 192.168.0.3 ... Open

User Access Verification

Username: carlo

Password:

R3>sh privilege

Current privilege level is 1 <-------------------

Here the current user privilege is 1 while the privilege level configured at username level (

username carlo privilege 2 password 0 cisco) is 2

Is that the expected behaviour ?

Beginner

Re: aaa authentication enable/authorization exec

I believe that is correct.

If you added aaa authorization exec default local

Then you should see the privilege goto "2" when logged in.


CreatePlease to create content
Content for Community-Ad