[tac_plus] Re: aaa authorization if-authenticated
john heasley
heas at shrubbery.net
Fri Dec 4 20:21:02 UTC 2009
Fri, Dec 04, 2009 at 11:55:16AM +1100, Andy Saykao:
> Hi All,
>
> I'm trying to get my head around when you would want to use
> "if-authenticated" for "aaa authorization" and what the best practice might
> be. At what other times might you want to use "local" or "none"?
>
> aaa authorization exec default group tacacs+ if-authenticated
> aaa authorization commands 0 default group tacacs+ if-authenticated
> aaa authorization commands 1 default group tacacs+ if-authenticated
> aaa authorization commands 15 default group tacacs+ if-authenticated
>
> My understanding is that "if-authenticated" allows you to continue to run in
> an exec shell and execute commands when the tacacs+ server becomes
> unreachable/dies. This is provided that you have successfully authenticated
> to the tacacs+ server before it became unreachable or died.
>
> When would you use if-authenticated, local and none???
we use 'local', which afaik, basically means that
'enable' works as expected and so should 'user foo priv N'. experiment
with it.
More information about the tac_plus
mailing list