AAA Radius Configuration clarification

Now we're using local authentification, i need to setup a Radius in network devices. There would be two main users groups - Read only and "Configure t" (do all)

1) DO the "aaa authorization exec default group radius local" is mandatory to be able to get to exec mode ?

2) Also sometimes i see people post that command with "if-authentificated" in the end. I wanted to clarify - do "if-authentificated" command is needed only when you're using TACACS+ server - because it authorizes every command ? Do in Radius enviroment "if-authentificated" takes a place ?

Thanks

Find more posts tagged with

Comments

negru_tudor

1) Nope. You can do it through a custom parameter / string that the RADIUS server stores for the user account you're trying to use. This parameter is called ''shell: priv-lvl=x'' where x ranges from 1 (very limited access) to 15 (full access)

2) IIRC the ''if-authenticated'' command was used for example like if you managed to get authenticated to a device via a RADIUS account, you'd be able to run privileged commands even if the RADIUS server goes down after you were successfully logged onto the device.

saddayz

thank you,

1) so what is the point of that authorization command (aaa authorization exec default group radius local) it's not necessary ?

2) i thought if you log in and get the priviledge - you are priviledged till the session goes down ? And the TACACS is t he only reason why it would be needed, because TACACS authorizes every command even you are connected to the box... So i guess this thinking is not right anymore

Thanks

Harry Roles

Hi

1. If you want to use AAA with an external database, for example
2. TACACS+ commands are authorized one by one

dontstop

aaa authorization exec default group radius local

I've found that without the above configuration your device will only use local enable secret and ignore any shell variables sent via the reply from RADIUS