[c-nsp] aaa different for console logins?

Oliver Boehmer (oboehmer) oboehmer at cisco.com
Wed Jan 12 08:30:41 EST 2005


> 
>> username foo privilege 15 password bar
>> !
>> aaa authen login default group radius local
>> aaa authorization exec default group radius local
>> 
>> if radius is unavailable and you log in with user "foo" and correct
>> password, the exec session will be privileged as exec authorization
>> also falls back to "local".
> 
> Wouldn't that be the desired behavior infered from the config above?

yes, I guess so.

[...]
> 
> So if radius is broken/unavailable, this'll act like my console radius
> logins were...you get exec, but the privilege level setting is
> ignored. 
> Why would I want that?

My point is: When talking about console login, I don't want any
misconfiguration to prevent me from restoring the configuration as
console is usaully the last resort. By ignoring authorization, I'm
already bypassing many things which can go wrong in the authen&author
area. Hence "if-authenticated".

It's up to your "taste" and your operational procedures which fallback
method you choose. Since most people rarely use local authorization,
"if-authenticated" is the same as "local", but "if-authenticated" can't
break if someone misconfigurs local autorization..

	oli



More information about the cisco-nsp mailing list