I've a doubt about the behaviour of the following commands:
aaa authentication enable default group tacacs+ enable
aaa authorization exec default group tacacs+ local
the first (authentication enable) defines the authentication method list the router has to use when the (logged in) user type 'enable' at CLI (here group radius and the local configured enable password)
the second one specify the authorization method required to 'spawn' an exec CLI (to bring the logged in user into privileged exec mode)
If that is correct....what is the different (from a user point of view) between them ?
If you had AAA configured on a device using a TACACS server. In the TACACS your user account was configured with an default privilege of "15". Having the "aaa authorization exec default group tacacs+ local" command should put you automatically in "enable" mode, as the device would get your authorization privilege from tacacs.
I think it could be put this way: aaa authorization exe configures you for your "default" privilege when logging into the device. aaa authentication enable will allow you to authenticate to a higher privilege (Your Maximum Privilege).
From a user perspective the difference between authentication and authorization is that authentication has to do with determining who the person is and frequently requires entry of a password or some other credential as part of proving that you are who you claim to be. Authorization has to do with what you can do (and possibly what privilege level). To a user the most obvious difference is that Authorization does not use a password while Authentication does use a password.
Thanks for answers....
About this configuration:
username carlo privilege 2 password 0 cisco
aaa authorization exec default none
Here I believe there is NO authorization requirement to allow the user to access (exec) shell....but what about the (initial) privilege level assigned to this user when shell is spawned ?
I've done a simple test for it and when the user log in this is the outcome
Trying 192.168.0.3 ... Open
User Access Verification
Current privilege level is 1 <-------------------
Here the current user privilege is 1 while the privilege level configured at username level (
username carlo privilege 2 password 0 cisco) is 2
Is that the expected behaviour ?
I believe that is correct.
If you added aaa authorization exec default local
Then you should see the privilege goto "2" when logged in.