AAA Authorization local

Arie -- · ‎04-25-2018

Hi,

I need to make sure that my understanding is correct.

I have below configuration on Cisco IOS:

aaa authentication login default none
aaa authentication login secure_ group tacacs+ group radius local
aaa authorization exec default none
aaa authorization exec secure_ group tacacs+ group radius local

The authentication and authorization order is 1) TACACS+; 2) RADIUS; 3) Local. Is it correct?

Then, if the TACACS+ server is down, it will fallback to RADIUS, isn't it?

And when RADIUS is also down, it will use local username, correct?

Also, I don't use 'if-authenticated' command on authorization above because there is local as the last option fallback. Is it okay?

Thank you

Jatin Katyal · ‎04-25-2018

I'm not sure why you have these 2 commands if you want to be authenticated against TACACS+, then radius and then local if the prior method is not available. The below listed command will not authenticate user due to default list.

aaa authentication login default none

aaa authorization exec default none

regarding "if-authenticated" read this

~Jatin

Arie -- · ‎04-25-2018

Hi,

I'm sorry. Let me put the complete configuration

aaa authentication login default none
aaa authentication login secure_ group tacacs+ group radius local
aaa authorization exec default none
aaa authorization exec secure_ group tacacs+ group radius local
aaa accounting exec default start-stop group tacacs+ group radius
aaa accounting exec secure_ start-stop group tacacs+ group radius

line con0

line vty 0 15
login authentication secure_
authorization exec secure_
accounting exec secure_

I have another question regarding with configuration above, if I put "aaa authorization console", does it enable authorization on console automatically?

Thank you