cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
861
Views
10
Helpful
4
Replies

Question on AAA and Tacacs+

Jagan1976
Level 1
Level 1

Hi guys,

Need some help with this. I am curious what is the purpose of line 4 when authentication and authorization is handled by ISE?

I removed the line and everything works the same. So is this line redundant in my case?

 

1: aaa authentication login ISE-SVR group ISE local
2: aaa authentication login CONSOLE local none
3: aaa authorization exec ISE-SVR local group ISE if-authenticated
4: aaa authorization commands 15 ISE-SVR local group ISE if-authenticated
5: aaa accounting exec default start-stop group ISE
6: aaa accounting commands 15 default stop-only group ISE

1 Accepted Solution

Accepted Solutions

Your configuration of authentication says that in general it is preferred to use ISE/TACACS to authenticate but that other alternatives are provided in case ISE/TACACS is not available.  Your configuration of authorization (both line 4 and line 3) specify that ISE/TACACS is preferred. Think about what might happen if ISE/TACACS were not available. You might be able to access the device and to authenticate using an alternate authentication method. But what if authorization depended on TACACS? I have had the experience (more than once I must admit) where I was able to access a device and to authenticate but was not able to be authorized. The result is that I was prevented from doing anything on that device. if-authenticated provides a fall back so that you would not be locked out if TACACS was not available (and I have learned that if-authenticated should be part of my standard approach to configuring aaa).

 

You observe that even without if-authenticated you still get access to level 15 commands. And in normal situations that would be expected. But I wonder if you have tested the case where you access the device, authenticate using TACACS, execute some commands which are successfully authorized by TACACS, but then for some reason the TACACS server becomes unavailable? Especially if the user name you used to authenticate with TACACS does not have a matching local user name, what would happen? TACACS can not authorize your command and local can not authorize your command. if-authenticated provides a fall back so that you do not get locked out of the device.

HTH

Rick

View solution in original post

4 Replies 4

balaji.bandi
Hall of Fame
Hall of Fame

Create an authorization list (if any) that allows exec mode for ISE-SVR users if authenticated, If you using  if-authenticated any authentication method (line, local, other.) will allow for successful authorization and allow the user to excute the privelege level command of 15,

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Yes, but without this line I get privilege level command of 15 too.

Your configuration of authentication says that in general it is preferred to use ISE/TACACS to authenticate but that other alternatives are provided in case ISE/TACACS is not available.  Your configuration of authorization (both line 4 and line 3) specify that ISE/TACACS is preferred. Think about what might happen if ISE/TACACS were not available. You might be able to access the device and to authenticate using an alternate authentication method. But what if authorization depended on TACACS? I have had the experience (more than once I must admit) where I was able to access a device and to authenticate but was not able to be authorized. The result is that I was prevented from doing anything on that device. if-authenticated provides a fall back so that you would not be locked out if TACACS was not available (and I have learned that if-authenticated should be part of my standard approach to configuring aaa).

 

You observe that even without if-authenticated you still get access to level 15 commands. And in normal situations that would be expected. But I wonder if you have tested the case where you access the device, authenticate using TACACS, execute some commands which are successfully authorized by TACACS, but then for some reason the TACACS server becomes unavailable? Especially if the user name you used to authenticate with TACACS does not have a matching local user name, what would happen? TACACS can not authorize your command and local can not authorize your command. if-authenticated provides a fall back so that you do not get locked out of the device.

HTH

Rick

There are some aspects of aaa authorization that are quite subtle and can be difficult to understand. I am glad that our explanations have been helpful. Thank you for marking this question as solved. This will help other participants in the community to identify discussions which have helpful information. This community is an excellent place to ask questions and to learn about networking. I hope to see you continue to be active in the community.

HTH

Rick
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: