[c-nsp] aaa different for console logins?
Jon Lewis
jlewis at lewis.org
Wed Jan 12 08:17:48 EST 2005
On Wed, 12 Jan 2005, Oliver Boehmer (oboehmer) wrote:
> username foo privilege 15 password bar
> !
> aaa authen login default group radius local
> aaa authorization exec default group radius local
>
> if radius is unavailable and you log in with user "foo" and correct
> password, the exec session will be privileged as exec authorization also
> falls back to "local".
Wouldn't that be the desired behavior infered from the config above?
> username foo privilege 15 password bar
> !
> aaa authen login default group radius local
> aaa authorization exec default group radius if-authenticated
>
> In this case, "privilege 15" will be ignored if radius server is
> unavailable (due to "if-authenticated" fallback method) and your shell
> is unprivileged.
So if radius is broken/unavailable, this'll act like my console radius
logins were...you get exec, but the privilege level setting is ignored.
Why would I want that?
----------------------------------------------------------------------
Jon Lewis | I route
Senior Network Engineer | therefore you are
Atlantic Net |
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
More information about the cisco-nsp
mailing list