Options
AAA authorization confusion
bermovick
Member Posts: 1,135 ■■■■□□□□□□
I'm having a real difficult time understanding how AAA authorization works from the official cert guide. They only really list a single page on it, and while it has examples, it doesn't really go into enough detail on what the examples mean, or do anything to show how it's tied in with anything else. (that last bit may not make sense, but below you'll see why I mention it).
Here's one of the examples given:
I can break down most of the command well enough; it checks level 15 commands against the local user database. The part where I get stuck is "for the goofy method list".
At first I'm thinking it has something to do with the method lists you create for aaa authentication which are then applied to aux/con/vty lines, but that doesn't really seem to make sense; you're using those lists to specify what method to use to authenticate on each line; so you wouldn't need to specify 'local' again I'd think if you were trying to link the 2. "Method goofy uses the local database. It's assigned to the vty lines and is used to authorize level 15 commands". Just doesn't really seem right.
I dunno, maybe I'm thinking in circles, but I can't see any other purpose for the 'goofy' in that line. A simple "aaa authorization commands 15 local" I could understand completely. What am I missing?
Here's one of the examples given:
aaa authorization commands 15 goofy local
I can break down most of the command well enough; it checks level 15 commands against the local user database. The part where I get stuck is "for the goofy method list".
At first I'm thinking it has something to do with the method lists you create for aaa authentication which are then applied to aux/con/vty lines, but that doesn't really seem to make sense; you're using those lists to specify what method to use to authenticate on each line; so you wouldn't need to specify 'local' again I'd think if you were trying to link the 2. "Method goofy uses the local database. It's assigned to the vty lines and is used to authorize level 15 commands". Just doesn't really seem right.
I dunno, maybe I'm thinking in circles, but I can't see any other purpose for the 'goofy' in that line. A simple "aaa authorization commands 15 local" I could understand completely. What am I missing?
Latest Completed: CISSP
Current goal: Dunno
Current goal: Dunno
Comments
-
Options
adi3112
Member Posts: 2 ■□□□□□□□□□
I know the topic is kinda old, but maybe it will be helpful for others.
You use the method lists if you want to have multiple authorization methods.
Let's say for console connection you want to use a type of auth and for VTY another type of authorization.
"goofy local" for console means that it will use only the local database.
"goofy2 group tacacs+ local" for VTY will use tacacs+ first and if the AAA server isn't reachable it will revert to the local database.