+ Reply to Thread
Results 1 to 4 of 4
  1. Junior Member
    Join Date
    Sep 2010
    Posts
    24
    #1

    Default AAA Radius Configuration clarification

    Now we're using local authentification, i need to setup a Radius in network devices. There would be two main users groups - Read only and "Configure t" (do all)

    1) DO the "aaa authorization exec default group radius local" is mandatory to be able to get to exec mode ?

    2) Also sometimes i see people post that command with "if-authentificated" in the end. I wanted to clarify - do "if-authentificated" command is needed only when you're using TACACS+ server - because it authorizes every command ? Do in Radius enviroment "if-authentificated" takes a place ?

    Thanks
    Reply With Quote Quote  

  2. SS -->
  3. Senior Member
    Join Date
    Jan 2015
    Location
    Cluj-Napoca, RO
    Posts
    302

    Certifications
    Several (ITIL, Avaya, ShoreTel, Cisco)
    #2
    1) Nope. You can do it through a custom parameter / string that the RADIUS server stores for the user account you're trying to use. This parameter is called ''shell: priv-lvl=x'' where x ranges from 1 (very limited access) to 15 (full access)

    2) IIRC the ''if-authenticated'' command was used for example like if you managed to get authenticated to a device via a RADIUS account, you'd be able to run privileged commands even if the RADIUS server goes down after you were successfully logged onto the device.
    2017-2018 goals:
    [ ] CIPTV2 300-075
    [ ] SIP School SSCA
    [X] CCNP Switch 300-115 [ ] CCNP Route 300-101 [ ] CCNP Tshoot 300-135
    [ ] LPIC1-101 [ ] LPIC1-102 (wishful thinking)
    Reply With Quote Quote  

  4. Junior Member
    Join Date
    Sep 2010
    Posts
    24
    #3
    thank you,

    1) so what is the point of that authorization command (aaa authorization exec default group radius local) it's not necessary ?

    2) i thought if you log in and get the priviledge - you are priviledged till the session goes down ? And the TACACS is t he only reason why it would be needed, because TACACS authorizes every command even you are connected to the box... So i guess this thinking is not right anymore

    Thanks
    Reply With Quote Quote  

  5. Junior Member
    Join Date
    Aug 2017
    Posts
    16
    #4
    Hi

    1. If you want to use AAA with an external database, for example
    2. TACACS+ commands are authorized one by one
    Reply With Quote Quote  

+ Reply to Thread

Social Networking & Bookmarks