10 messages in net.nether.puck.cisco-nsp[c-nsp] aaa different for console log...
FromSent OnAttachments
Jon LewisJan 11, 2005 2:17 pm 
Jon LewisJan 11, 2005 3:08 pm 
Oliver Boehmer (oboehmer)Jan 11, 2005 3:34 pm 
John LyonsJan 11, 2005 3:50 pm 
Jon LewisJan 11, 2005 8:50 pm 
Oliver Boehmer (oboehmer)Jan 12, 2005 4:11 am 
Jon LewisJan 12, 2005 7:04 am 
Oliver Boehmer (oboehmer)Jan 12, 2005 7:36 am 
Jon LewisJan 12, 2005 8:18 am 
Oliver Boehmer (oboehmer)Jan 12, 2005 8:30 am 
Actions with this message:
Paste this link in email or IM:
Paste this link in email or IM:
Atom feed for this thread
Paste this URL into your reader:
Subject:[c-nsp] aaa different for console logins?Actions...
From:Jon Lewis (jle@lewis.org)
Date:Jan 12, 2005 8:18:35 am
List:net.nether.puck.cisco-nsp

On Wed, 12 Jan 2005, Oliver Boehmer (oboehmer) wrote:

username foo privilege 15 password bar ! aaa authen login default group radius local aaa authorization exec default group radius local

if radius is unavailable and you log in with user "foo" and correct password, the exec session will be privileged as exec authorization also falls back to "local".

Wouldn't that be the desired behavior infered from the config above?

username foo privilege 15 password bar ! aaa authen login default group radius local aaa authorization exec default group radius if-authenticated

In this case, "privilege 15" will be ignored if radius server is unavailable (due to "if-authenticated" fallback method) and your shell is unprivileged.

So if radius is broken/unavailable, this'll act like my console radius logins were...you get exec, but the privilege level setting is ignored. Why would I want that?

---------------------------------------------------------------------- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________