AAA Radius Configuration clarification

saddayzsaddayz Member Posts: 29 ■□□□□□□□□□
Now we're using local authentification, i need to setup a Radius in network devices. There would be two main users groups - Read only and "Configure t" (do all)

1) DO the "aaa authorization exec default group radius local" is mandatory to be able to get to exec mode ?

2) Also sometimes i see people post that command with "if-authentificated" in the end. I wanted to clarify - do "if-authentificated" command is needed only when you're using TACACS+ server - because it authorizes every command ? Do in Radius enviroment "if-authentificated" takes a place ?

Thanks

Comments

  • negru_tudornegru_tudor Senior Member Member Posts: 473 ■■■□□□□□□□
    1) Nope. You can do it through a custom parameter / string that the RADIUS server stores for the user account you're trying to use. This parameter is called ''shell: priv-lvl=x'' where x ranges from 1 (very limited access) to 15 (full access)

    2) IIRC the ''if-authenticated'' command was used for example like if you managed to get authenticated to a device via a RADIUS account, you'd be able to run privileged commands even if the RADIUS server goes down after you were successfully logged onto the device.
    2017-2018 goals:
    [X] CIPTV2 300-075
    [ ] SIP School SSCA
    [X] CCNP Switch 300-115 [X] CCNP Route 300-101 [X] CCNP Tshoot 300-135
    [ ] LPIC1-101 [ ] LPIC1-102 (wishful thinking)
  • saddayzsaddayz Member Posts: 29 ■□□□□□□□□□
    thank you,

    1) so what is the point of that authorization command (aaa authorization exec default group radius local) it's not necessary ?

    2) i thought if you log in and get the priviledge - you are priviledged till the session goes down ? And the TACACS is t he only reason why it would be needed, because TACACS authorizes every command even you are connected to the box... So i guess this thinking is not right anymore :)

    Thanks
  • Harry RolesHarry Roles Member Posts: 19 ■□□□□□□□□□
    Hi

    1. If you want to use AAA with an external database, for example
    2. TACACS+ commands are authorized one by one
  • dontstopdontstop Member Posts: 579 ■■■■□□□□□□
    aaa authorization exec default group radius local
    I've found that without the above configuration your device will only use local enable secret and ignore any shell variables sent via the reply from RADIUS
Sign In or Register to comment.