10 messages in net.nether.puck.cisco-nsp[c-nsp] aaa different for console log...
FromSent OnAttachments
Jon LewisJan 11, 2005 2:17 pm 
Jon LewisJan 11, 2005 3:08 pm 
Oliver Boehmer (oboehmer)Jan 11, 2005 3:34 pm 
John LyonsJan 11, 2005 3:50 pm 
Jon LewisJan 11, 2005 8:50 pm 
Oliver Boehmer (oboehmer)Jan 12, 2005 4:11 am 
Jon LewisJan 12, 2005 7:04 am 
Oliver Boehmer (oboehmer)Jan 12, 2005 7:36 am 
Jon LewisJan 12, 2005 8:18 am 
Oliver Boehmer (oboehmer)Jan 12, 2005 8:30 am 
Actions with this message:
Paste this link in email or IM:
Paste this link in email or IM:
Atom feed for this thread
Paste this URL into your reader:
Subject:[c-nsp] aaa different for console logins?Actions...
From:Oliver Boehmer (oboehmer) (oboe@cisco.com)
Date:Jan 12, 2005 8:30:35 am
List:net.nether.puck.cisco-nsp

username foo privilege 15 password bar ! aaa authen login default group radius local aaa authorization exec default group radius local

if radius is unavailable and you log in with user "foo" and correct password, the exec session will be privileged as exec authorization also falls back to "local".

Wouldn't that be the desired behavior infered from the config above?

yes, I guess so.

[...]

So if radius is broken/unavailable, this'll act like my console radius logins were...you get exec, but the privilege level setting is ignored. Why would I want that?

My point is: When talking about console login, I don't want any misconfiguration to prevent me from restoring the configuration as console is usaully the last resort. By ignoring authorization, I'm already bypassing many things which can go wrong in the authen&author area. Hence "if-authenticated".

It's up to your "taste" and your operational procedures which fallback method you choose. Since most people rarely use local authorization, "if-authenticated" is the same as "local", but "if-authenticated" can't break if someone misconfigurs local autorization..

oli