[c-nsp] aaa different for console logins?
Oliver Boehmer (oboehmer)
oboehmer at cisco.com
Wed Jan 12 04:11:30 EST 2005
>
>> by default, console sessions are not authorized via AAA (a safeguard
>> against a misconfigured authorization). configure "aaa authorization
>> console" (could be hidden, depending on IOS release) if you want to
>> change this behaviour.
>
> Ah, so thats to stop you from giving out enable on the console
> accidentally? It does use AAA for authentication on the console
> without doing anything special.
That will prevent the session from receiving any authorization info
(like privilege level), only authentication.
> My reason for looking into this is that we use AAA (radius) to
> authenticate noc staff logins (so we don't have to change enable
> secrets any time someone leaves) and during emergencies when someone
has to
> console in, I'd like them to get enable without having to tell them
> the "super secret enable secret".
Ack. But please make sure to define appropriate fallback methods. So in
your case, I would replace
aaa authorization exec default group radius local
by
aaa authorization exec default group radius if-authenticated
I.e. when Radius is not available, authorization succeeds if the user
has authenticated.
oli
More information about the cisco-nsp
mailing list