10 messages in net.nether.puck.cisco-nsp[c-nsp] aaa different for console log...
FromSent OnAttachments
Jon LewisJan 11, 2005 2:17 pm 
Jon LewisJan 11, 2005 3:08 pm 
Oliver Boehmer (oboehmer)Jan 11, 2005 3:34 pm 
John LyonsJan 11, 2005 3:50 pm 
Jon LewisJan 11, 2005 8:50 pm 
Oliver Boehmer (oboehmer)Jan 12, 2005 4:11 am 
Jon LewisJan 12, 2005 7:04 am 
Oliver Boehmer (oboehmer)Jan 12, 2005 7:36 am 
Jon LewisJan 12, 2005 8:18 am 
Oliver Boehmer (oboehmer)Jan 12, 2005 8:30 am 
Actions with this message:
Paste this link in email or IM:
Paste this link in email or IM:
Atom feed for this thread
Paste this URL into your reader:
Subject:[c-nsp] aaa different for console logins?Actions...
From:Oliver Boehmer (oboehmer) (oboe@cisco.com)
Date:Jan 12, 2005 7:36:20 am
List:net.nether.puck.cisco-nsp

Ack. But please make sure to define appropriate fallback methods. So in your case, I would replace aaa authorization exec default group radius local by aaa authorization exec default group radius if-authenticated

I.e. when Radius is not available, authorization succeeds if the user has authenticated.

I'll test this, but my impression was that with the local on the end, when radius is unavailable, locally defined usernames are used and the enable secret is still used when enabling from an exec level local

user.

Don't confuse authorization with authentication. Let's make a more sophisticated example:

username foo privilege 15 password bar ! aaa authen login default group radius local aaa authorization exec default group radius local

if radius is unavailable and you log in with user "foo" and correct password, the exec session will be privileged as exec authorization also falls back to "local".

username foo privilege 15 password bar ! aaa authen login default group radius local aaa authorization exec default group radius if-authenticated

In this case, "privilege 15" will be ignored if radius server is unavailable (due to "if-authenticated" fallback method) and your shell is unprivileged.

oli