AAA Radius Configuration clarification

saddayz

Now we're using local authentification, i need to setup a Radius in network devices. There would be two main users groups - Read only and "Configure t" (do all)

1) DO the "aaa authorization exec default group radius local" is mandatory to be able to get to exec mode ?

2) Also sometimes i see people post that command with "if-authentificated" in the end. I wanted to clarify - do "if-authentificated" command is needed only when you're using TACACS+ server - because it authorizes every command ? Do in Radius enviroment "if-authentificated" takes a place ?

Thanks

negru_tudor

1) Nope. You can do it through a custom parameter / string that the RADIUS server stores for the user account you're trying to use. This parameter is called ''shell: priv-lvl=x'' where x ranges from 1 (very limited access) to 15 (full access)

2) IIRC the ''if-authenticated'' command was used for example like if you managed to get authenticated to a device via a RADIUS account, you'd be able to run privileged commands even if the RADIUS server goes down after you were successfully logged onto the device.