11-05-2020 09:39 PM
Hi guys,
Need some help with this. I am curious what is the purpose of line 4 when authentication and authorization is handled by ISE?
I removed the line and everything works the same. So is this line redundant in my case?
1: aaa authentication login ISE-SVR group ISE local
2: aaa authentication login CONSOLE local none
3: aaa authorization exec ISE-SVR local group ISE if-authenticated
4: aaa authorization commands 15 ISE-SVR local group ISE if-authenticated
5: aaa accounting exec default start-stop group ISE
6: aaa accounting commands 15 default stop-only group ISE
Solved! Go to Solution.
11-08-2020 11:57 AM
Your configuration of authentication says that in general it is preferred to use ISE/TACACS to authenticate but that other alternatives are provided in case ISE/TACACS is not available. Your configuration of authorization (both line 4 and line 3) specify that ISE/TACACS is preferred. Think about what might happen if ISE/TACACS were not available. You might be able to access the device and to authenticate using an alternate authentication method. But what if authorization depended on TACACS? I have had the experience (more than once I must admit) where I was able to access a device and to authenticate but was not able to be authorized. The result is that I was prevented from doing anything on that device. if-authenticated provides a fall back so that you would not be locked out if TACACS was not available (and I have learned that if-authenticated should be part of my standard approach to configuring aaa).
You observe that even without if-authenticated you still get access to level 15 commands. And in normal situations that would be expected. But I wonder if you have tested the case where you access the device, authenticate using TACACS, execute some commands which are successfully authorized by TACACS, but then for some reason the TACACS server becomes unavailable? Especially if the user name you used to authenticate with TACACS does not have a matching local user name, what would happen? TACACS can not authorize your command and local can not authorize your command. if-authenticated provides a fall back so that you do not get locked out of the device.
11-06-2020 01:42 AM
Create an authorization list (if any) that allows exec mode for ISE-SVR users if authenticated, If you using if-authenticated any authentication method (line, local, other.) will allow for successful authorization and allow the user to excute the privelege level command of 15,
11-06-2020 02:02 AM
Yes, but without this line I get privilege level command of 15 too.
11-08-2020 11:57 AM
Your configuration of authentication says that in general it is preferred to use ISE/TACACS to authenticate but that other alternatives are provided in case ISE/TACACS is not available. Your configuration of authorization (both line 4 and line 3) specify that ISE/TACACS is preferred. Think about what might happen if ISE/TACACS were not available. You might be able to access the device and to authenticate using an alternate authentication method. But what if authorization depended on TACACS? I have had the experience (more than once I must admit) where I was able to access a device and to authenticate but was not able to be authorized. The result is that I was prevented from doing anything on that device. if-authenticated provides a fall back so that you would not be locked out if TACACS was not available (and I have learned that if-authenticated should be part of my standard approach to configuring aaa).
You observe that even without if-authenticated you still get access to level 15 commands. And in normal situations that would be expected. But I wonder if you have tested the case where you access the device, authenticate using TACACS, execute some commands which are successfully authorized by TACACS, but then for some reason the TACACS server becomes unavailable? Especially if the user name you used to authenticate with TACACS does not have a matching local user name, what would happen? TACACS can not authorize your command and local can not authorize your command. if-authenticated provides a fall back so that you do not get locked out of the device.
11-08-2020 03:26 PM
There are some aspects of aaa authorization that are quite subtle and can be difficult to understand. I am glad that our explanations have been helpful. Thank you for marking this question as solved. This will help other participants in the community to identify discussions which have helpful information. This community is an excellent place to ask questions and to learn about networking. I hope to see you continue to be active in the community.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide