Question about aaa's default command.

thehourmanthehourman Posts: 723Member
I am a little confuse on what exactly is the default command for.
For example, what is the difference between these two commands?
aaa authorization exec default local
aaa authorization exec TEST local

Thanks
Studying:
Working on CCNA: Security. Start date: 12.28.10
Microsoft 70-640 - on hold (This is not taking me anywhere. I started this in October, and it is December now, I am still on page 221. WTH!)
Reading:
Network Warrior - Currently at Part II
Reading IPv6 Essentials 2nd Edition - on hold

Comments

  • AhriakinAhriakin SupremeNetworkOverlord Posts: 1,800Member
    The default will be used if you enable AAA for any particular function but do not specify an explicit method-group. E.g. on the 2nd line you are creating the TEST AAA method, say you actually set that to TACACS+ LOCAL then you could leave the default as local but set your VTY lines to use the TEST method (thereby requiring remote AAA on these first, but leaving all others to use the local database).
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
  • thehourmanthehourman Posts: 723Member
    I understand the local (2nd aaa method.) It is like a backup just in case the aaa server is unreachable or got disconnected. If I remember it right, it can be setup up to 4 methods. Am I right?

    The TEST(list-name) aaa method is used with aaa server, and I should apply it to the line console, vty, interfaces?

    Can you give please me a scenario example of an aaa default, and why the aaa default is used on that scenario?

    Thanks
    Studying:
    Working on CCNA: Security. Start date: 12.28.10
    Microsoft 70-640 - on hold (This is not taking me anywhere. I started this in October, and it is December now, I am still on page 221. WTH!)
    Reading:
    Network Warrior - Currently at Part II
    Reading IPv6 Essentials 2nd Edition - on hold
  • AhriakinAhriakin SupremeNetworkOverlord Posts: 1,800Member
    Having 2 method lists (TEST and default above) is a bit different to having multiple AAA services configured for that method...I'm probably not explaining this well (AAA is not my strongest point, it's one of those things you template for your appliances, do once and then forget about it...well that's my excuse anyway ;) ) but say you wanted to use an ACS server with TACACS+ but fallback to Local when it is unavailable (as you described) you just need one method list but can specify multiple actual AAA services on it. e.g.
    "aaa authorization exec default TACACS+ local"
    (Where TACACS+ is your own defined group, as protocol tacacs+)

    That's all you need to meet the fallback requirements. Using a second statement is only really applicable for things like authentication (or accounting) where you might have different policy requirements depending on just how the user has accessed the system (e.g.VTY vs. Console). Since the exec process is independant of your terminal source it should only be specified once.
    Where you would want multiple lists depends on your policy. One example might be an access server, you could define the default list as your own AAA/Local but maybe want a backdoor through a rotary line that only uses local. In this case set the default to the 2 methods, do a 2nd list with just local and specify it as the AAA list for login on the rotary. I'm not recommending you do this, just illustrating the point.
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
Sign In or Register to comment.