RE: aaa authorization (last method)
From: Volkov Dmitry (dmitry.volkov@rogers.com)
Date: Tue Nov 04 2003 - 17:14:29 GMT-3
Fabrice,
I guess I understand now. My mistake was - I thought that "none" was not the
absence of authentication at all but authentication
with just not-checking credentials - i.e. unconditional allowance to get
in - which I would still consider as "authentication".
Looks like I was wrong and "none" means disabling authentication, i.e.
removing first A from AAA.
So, if You were not authenticated - because you proceed method "none" - You
would fail method "if-authenticated" in "aaa authorization"
1d01h: tty2 AAA/AUTHOR/EXEC (3042340556): Method=IF_AUTHEN
1d01h: AAA/AUTHOR (3042340556): Post authorization status = FAIL
This make sense.
However I found that documentation is not very clear regarding definition
"none"
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsec
ur_r/faaacr/srfathen.htm#1042397
To specify that the AUTHENTICATION SHOULD SUCCEED even if all methods return
an error, specify none as the final method in the command line.
and here:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsec
ur_r/faaacr/srfauth.htm#1017390
Defaults
Authorization is DISABLED for all actions (EQUIVALENT to the method keyword
NONE).
Thank You,
Dmitry
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On
> Behalf Of Fabrice Bobes
> Sent: Tuesday, November 04, 2003 1:13 AM
> To: 'Volkov Dmitry'; 'Bob Sinclair'
> Cc: security@groupstudy.com; ccielab@groupstudy.com
> Subject: RE: aaa authorization (last method)
>
>
> Hi Guys,
>
> I just tested a scenario like yours and noticed different
> results based
> on the IOS version I was testing on (12.2.19 and 12.2.15T7).
> The result I got on the T release was much in line with what I was
> expecting:
>
> For Example:
> Aaa new-model
> aaa authentication login default group radius none
> aaa authorization exec default group radius if-authenticated none
> radius-server host 133.1.50.100 key cisco
>
> 1) 12.2.15T7 and 12.2.19. The Radius server is reachable and user2 is
> not defined on the Radius server, an access-reject is received and
> authentication fails. The method "none" is never tested.
>
> User2 telnets:
> User Access Verification
>
> Username: user2
> Password:
>
> % Authentication failed.
>
> 2) 12.2.15T7. It's where it's getting interesting, the Radius
> server is
> now not reachable but user2 gets through: he is not authenticated
> (authentication method is none) but he gets authorized since
> "none" is a
> valid method in the authorization list.
>
> User Access Verification
>
> Username: user2
> Password:
>
> R2>
>
> With version 12.2.19, I get a different result, user2 is not
> authorized,
> the method "none" is not tested. The process stops at
> "if-authenticated"
> and doesn't consider "none" as a backup method.
> I get:
> User Access Verification
>
> Username: user2
> Password:
> % Backup authentication
> % Authorization failed.
>
> When debugging aaa authorization, I can see that "none" is not even
> tested.
> 11:57:27: tty66 AAA/AUTHOR/EXEC (4095996851): send AV service=shell
> 11:57:27: tty66 AAA/AUTHOR/EXEC (4095996851): send AV cmd*
> 11:57:27: tty66 AAA/AUTHOR/EXEC (4095996851): found list "default"
> 11:57:27: tty66 AAA/AUTHOR/EXEC (4095996851): Method=radius (radius)
> 11:57:47: AAA/AUTHOR (4095996851): Post authorization status = ERROR
> 11:57:47: tty66 AAA/AUTHOR/EXEC (4095996851): Method=IF_AUTHEN
> 11:57:47: AAA/AUTHOR (4095996851): Post authorization status = FAIL
> 11:57:47: AAA/AUTHOR/EXEC: Authorization FAILED
>
> Dmitry, I am not sure this replies to your initial question but as you
> can see, there is a difference between if-authenticated and none at
> least in the T release. "None" authorizes a user not authenticated.
> "If-authenticated" authorizes a user as long as he was authenticated.
>
> Thanks,
>
> Fabrice Bobes
> CCIE #8609 (R&S, Security)
> http://www.6CoLabs.com
>
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On
> Behalf Of
> Volkov Dmitry
> Sent: Monday, November 03, 2003 3:56 PM
> To: 'Bob Sinclair'
> Cc: security@groupstudy.com; ccielab@groupstudy.com
> Subject: RE: aaa authorization (last method)
>
> Bob, see inline
>
> > -----Original Message-----
> > From: Bob Sinclair [mailto:bsin@cox.net]
> > Sent: Monday, November 03, 2003 6:32 PM
> > To: dmitry.volkov@rogers.com; security@groupstudy.com
> > Cc: ccielab@groupstudy.com
> > Subject: Re: aaa authorization (last method)
> >
> >
> > Dmitry,
> >
> > It seems to me that in order to pass the "if-authenticated"
> > method, AAA
> > server needs to be reachable.
>
> Why ?? You ALREADY authenticated and "if-authenticated" will allow to
> authorize .
>
> > What if you successfully
> > authenticate and
> > then shut down the interface you would use to get to the AAA
> > server? Would
> > you be able to no-shut it without the "none" fallback?
>
> Why not - since You already have been authenticated.
>
> >
> > What if the AAA server is unreachable and you authenticate
> > with a "none" or
> > "local" fallback. You would be "authenticated" but if the
> > AAA server is
> > unreachable, will you be able authorized without the "none"
> > fallback? I
>
> Sure, as soon as condition "to be authenticated" is
> valid/completed You
> will
> get exec, netw services or commands
>
>
> > don't think so, but we can lab it up.
> >
> > HTH,
> >
> > -Bob Sinclair
> > CCIE #10427, CISSP, MCSE
> >
> > ----- Original Message -----
> > From: "Volkov Dmitry" <dmitry.volkov@rogers.com>
> > To: "'Bob Sinclair'" <bsin@cox.net>; <security@groupstudy.com>
> > Cc: <ccielab@groupstudy.com>
> > Sent: Monday, November 03, 2003 6:10 PM
> > Subject: RE: aaa authorization (last method)
> >
> >
> > > Bob,
> > >
> > > I read it before but didn't get clarity...
> > > It appears to me both last resort methods "none" and
> > "if-authenticated"
> > are
> > > the same when they used as last one in authorization process.
> > >
> > > I don't get the difference.
> > > Can You be not authenticated and still proceed authorization ?
> > >
> > >
> > > Thanks,
> > > Dmitry
> > >
> > > > -----Original Message-----
> > > > From: Bob Sinclair [mailto:bsin@cox.net]
> > > > Sent: Monday, November 03, 2003 5:54 PM
> > > > To: Volkov Dmitry; security@groupstudy.com
> > > > Cc: ccielab@groupstudy.com
> > > > Subject: Re: aaa authorization (last method)
> > > >
> > > >
> > > > Dmitry,
> > > >
> > > > Most of the docs do indicate that "if-authenticated" should
> > > > normally be the
> > > > last method: either you are authenticated and therefore
> > > > permitted, or you
> > > > are not authenticated and the method fails - failing a method
> > > > does not allow
> > > > you to try other methods. Adding the "none" option
> > appears to be a
> > > > fail-safe in the case of a down or unreachable server. See
> > > > the link below:
> > > >
> > > > http://www.cisco.com/en/US/partner/netsol/ns341/ns396/ns7/ns18
> > > > /networking_solutions_design_guide_chapter09186a00800f48eb.htm
> > > > l#1009459
> > > >
> > > >
> > > > -Bob Sinclair
> > > > CCIE #10427, CISSP, MCSE
> > > >
> > > > ----- Original Message -----
> > > > From: "Volkov Dmitry" <dmitry.volkov@rogers.com>
> > > > To: <security@groupstudy.com>
> > > > Cc: <ccielab@groupstudy.com>
> > > > Sent: Monday, November 03, 2003 10:36 AM
> > > > Subject: aaa authorization (last method)
> > > >
> > > >
> > > > > Does it make any sense to use both methods:
> > > > "if-authenticated" and "none"
> > > > > within the same aaa authorization list.
> > > > > for ex : aaa authorization exec TEST group tacacs+
> > > > if-authenticated none
> > > > >
> > > > > from com ref:
> > > > > If-Authenticated�The user is allowed to access the
> > > > requested function
> > > > > provided the user has been authenticated successfully.
> > > > > None�The network access server does not request
> > > > authorization information;
> > > > > authorization is not performed over this line/interface.
> > > > >
> > > > > Is it possible: to be not authenticated (for any
> > reasons) and still
> > > > request
> > > > > authorization ?
> > > > > AFAIK authorization happens after authentication (logically).
> > > > > What is the difference to use "if-authenticated" comparing
> > > > with "none" in
> > > > > this context ?
> > > > >
> > > > > Thanks,
> > > > > Dmitry
>
> ______________________________________________________________
> _________
> Please help support GroupStudy by purchasing your study
> materials from:
> http://shop.groupstudy.com
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4
: Fri Dec 12 2003 - 12:29:08 GMT-3