GroupStudy.com GroupStudy.com - A virtual community of network engineers
 Home  BookStore  StudyNotes  Links  Archives  StudyRooms  HelpWanted  Discounts  Login
RE: aaa authorization (last method) posted 11/04/2003
[Chronological Index] [Thread Index] [Top] [Date Prev][Date Next] [Thread Prev][Thread Next]


Hi Guys,

I just tested a scenario like yours and noticed different results based
on the IOS version I was testing on (12.2.19 and 12.2.15T7).
The result I got on the T release was much in line with what I was
expecting:

For Example:
Aaa new-model
aaa authentication login default group radius none
aaa authorization exec default group radius if-authenticated none
radius-server host 133.1.50.100 key cisco

1) 12.2.15T7 and 12.2.19. The Radius server is reachable and user2 is
not defined on the Radius server, an access-reject is received and
authentication fails. The method "none" is never tested.

User2 telnets:
User Access Verification

Username: user2
Password: 

% Authentication failed.

2) 12.2.15T7. It's where it's getting interesting, the Radius server is
now not reachable but user2 gets through: he is not authenticated
(authentication method is none) but he gets authorized since "none" is a
valid method in the authorization list. 

User Access Verification

Username: user2
Password: 

R2>

With version 12.2.19, I get a different result, user2 is not authorized,
the method "none" is not tested. The process stops at "if-authenticated"
and doesn't consider "none" as a backup method.
I get:
User Access Verification

Username: user2
Password: 
% Backup authentication
% Authorization failed.

When debugging aaa authorization, I can see that "none" is not even
tested.
11:57:27: tty66 AAA/AUTHOR/EXEC (4095996851): send AV service=shell
11:57:27: tty66 AAA/AUTHOR/EXEC (4095996851): send AV cmd*
11:57:27: tty66 AAA/AUTHOR/EXEC (4095996851): found list "default"
11:57:27: tty66 AAA/AUTHOR/EXEC (4095996851): Method=radius (radius)
11:57:47: AAA/AUTHOR (4095996851): Post authorization status = ERROR
11:57:47: tty66 AAA/AUTHOR/EXEC (4095996851): Method=IF_AUTHEN
11:57:47: AAA/AUTHOR (4095996851): Post authorization status = FAIL
11:57:47: AAA/AUTHOR/EXEC: Authorization FAILED 

Dmitry, I am not sure this replies to your initial question but as you
can see, there is a difference between if-authenticated and none at
least in the T release. "None" authorizes a user not authenticated.
"If-authenticated" authorizes a user as long as he was authenticated. 

Thanks,

Fabrice Bobes
CCIE #8609 (R&S, Security)
http://www.6CoLabs.com


-----Original Message-----
From: nobody@xxxxxxxxxxxxxx [mailto:nobody@xxxxxxxxxxxxxx] On Behalf Of
Volkov Dmitry
Sent: Monday, November 03, 2003 3:56 PM
To: 'Bob Sinclair'
Cc: security@xxxxxxxxxxxxxx; ccielab@xxxxxxxxxxxxxx
Subject: RE: aaa authorization (last method)

Bob, see inline

> -----Original Message-----
> From: Bob Sinclair [mailto:bsin@xxxxxxx]
> Sent: Monday, November 03, 2003 6:32 PM
> To: dmitry.volkov@xxxxxxxxxx; security@xxxxxxxxxxxxxx
> Cc: ccielab@xxxxxxxxxxxxxx
> Subject: Re: aaa authorization (last method)
>
>
> Dmitry,
>
> It seems to me that in order to pass the "if-authenticated"
> method, AAA
> server needs to be reachable.

Why ?? You ALREADY authenticated and "if-authenticated" will allow to
authorize .

> What if you successfully
> authenticate and
> then shut down the interface you would use to get to the AAA
> server?  Would
> you be able to no-shut it without the "none" fallback?

Why not - since You already have been authenticated.

>
> What if the AAA server is unreachable and you authenticate
> with a "none" or
> "local" fallback.  You would be "authenticated" but if the
> AAA server is
> unreachable, will you be able authorized without the "none"
> fallback?  I

Sure, as soon as condition "to be authenticated" is valid/completed You
will
get exec, netw services or commands


> don't think so, but we can lab it up.
>
> HTH,
>
> -Bob Sinclair
>  CCIE #10427, CISSP, MCSE
>
> ----- Original Message -----
> From: "Volkov Dmitry" <dmitry.volkov@xxxxxxxxxx>
> To: "'Bob Sinclair'" <bsin@xxxxxxx>; <security@xxxxxxxxxxxxxx>
> Cc: <ccielab@xxxxxxxxxxxxxx>
> Sent: Monday, November 03, 2003 6:10 PM
> Subject: RE: aaa authorization (last method)
>
>
> > Bob,
> >
> > I read it before but didn't get clarity...
> > It appears to me both last resort  methods "none" and
> "if-authenticated"
> are
> > the same when they used as last one in authorization process.
> >
> > I don't get the difference.
> > Can You be not authenticated and still proceed authorization ?
> >
> >
> > Thanks,
> > Dmitry
> >
> > > -----Original Message-----
> > > From: Bob Sinclair [mailto:bsin@xxxxxxx]
> > > Sent: Monday, November 03, 2003 5:54 PM
> > > To: Volkov Dmitry; security@xxxxxxxxxxxxxx
> > > Cc: ccielab@xxxxxxxxxxxxxx
> > > Subject: Re: aaa authorization (last method)
> > >
> > >
> > > Dmitry,
> > >
> > > Most of the docs do indicate that "if-authenticated" should
> > > normally be the
> > > last method: either you are authenticated and therefore
> > > permitted, or you
> > > are not authenticated and the method fails - failing a method
> > > does not allow
> > > you to try other methods.   Adding the "none" option
> appears to be a
> > > fail-safe in the case of a down or unreachable server.  See
> > > the link below:
> > >
> > > http://www.cisco.com/en/US/partner/netsol/ns341/ns396/ns7/ns18
> > > /networking_solutions_design_guide_chapter09186a00800f48eb.htm
> > > l#1009459
> > >
> > >
> > > -Bob Sinclair
> > >  CCIE #10427, CISSP, MCSE
> > >
> > > ----- Original Message -----
> > > From: "Volkov Dmitry" <dmitry.volkov@xxxxxxxxxx>
> > > To: <security@xxxxxxxxxxxxxx>
> > > Cc: <ccielab@xxxxxxxxxxxxxx>
> > > Sent: Monday, November 03, 2003 10:36 AM
> > > Subject: aaa authorization (last method)
> > >
> > >
> > > > Does it make any sense to use both methods:
> > > "if-authenticated" and "none"
> > > > within the same aaa authorization list.
> > > > for ex : aaa authorization exec TEST group tacacs+
> > > if-authenticated none
> > > >
> > > > from com ref:
> > > > If-AuthenticatedThe user is allowed to access the
> > > requested function
> > > > provided the user has been authenticated successfully.
> > > > NoneThe network access server does not request
> > > authorization information;
> > > > authorization is not performed over this line/interface.
> > > >
> > > > Is it possible: to be not authenticated (for any
> reasons) and still
> > > request
> > > > authorization ?
> > > > AFAIK authorization happens after authentication (logically).
> > > > What is the difference to use "if-authenticated" comparing
> > > with "none" in
> > > > this context ?
> > > >
> > > > Thanks,
> > > > Dmitry