This topic is to discuss the following lesson:
Very well written, thanks !!
Is there a show command or an overview that show all available commands for each privilege level?
Show commands privilege level 7
Hmm I don’t think there is, what I normally do is a quick “sh run | incl privilege” on the router and it will show you all the commands that have been moved to different privilege levels.
thank you Rene
Hi Rene, can you write commands about SSH user wich have different privilage level. for example one user is root and one user is guest, guest must have some restricted commands
I’ll create a blog post on this soon, you can use different privilege levels and assign different commands to each of them. This might be useful to create an account for a ‘superuser’ who can do anything and perhaps a ‘guest’ account that is able to use show commands or a ‘trainee’ account that only has access to a few configure commands.
Based on George’s reply I tried to create two usernames with differents privilege leves:
username newbie privilege 8 secret 5 $1$BiPz$TLuUEbPhyDEgnwQiOC5y0/ (cisco) username senior privilege 15 secret 5 $1$G2Ym$.1hVi/NAd1qz2/FBS7xaO0 (cisco)
I want user newibe to able to enter show commads :
privilege exec level 8 show
I wanted user senior to able to enter configure commands :
privilege exec level 15 configure
Then I enter the AAA configuration :
aaa new-model aaa authentication login list1 local aaa authorization exec l1 local
Then I Applied it to the line VTY 0 4
line vty 0 4 authorization exec l1 login authentication list1
Of course I configured the ENA Password :
enable secret 5 $1$la.q$EjYxrP4hcerlF88c1GX4e/ (ena)
Then I tried to access the device via telnet with a user newbie :
R2(config-if)#do telnet 192.168.1.1 Trying 192.168.1.1 ... Open User Access Verification Username: newbie Password: R1>ena Password: R1#show privilege Current privilege level is 15
I don’t know what is the dummy mistake I have here, can you assist ?
What are you thoughts ?
Do you require AAA for anything except this? You don’t need it for the privilege levels.
These lines you don’t need:
privilege exec level 8 show
privilege exec level 15 configure
Privilege level 8 already has show commands and level 15 already has everything. A level 8 user will be able to use show commands but no configure commands.
Once you login, you should get right into the right privilege level but it seems you end up in level 0. Once you type enable, you get into level 15.
For example in my example above you can see that once the level 8 user connects that I end up in level 8 immediately.
I can also give you an example for role based CLI. This is similar but then we can create users that have 0 commands by default and then we can add the ones we need.
Pretty much I wanted different users to be able to access the device via telnet, I wanted user newbie to be able to just execute show commands, then I wanted user senior to have full rights, I mean to able to execute any command.
I understood my mistake, I already configured the default view and the “client” view
aaa authentication login list_1 local enable secret 5 $1$wxp3$S6xiGOONqckW8nW1UvOD00 (ena) username cisco secret 5 $1$GeiB$esuKyqDcf.Q1xyKyHifRx0 username client privilege 15 view client secret 5 $1$O0ES$Lk3l5Dap7UWiJoudqQXeV1 line vty 15 login authentication list_1 transport input ssh parser view client secret 5 $1$lNG0$Urju2CMjNaI7uOnQJvVho1 commands interface include loopback commands interface include ip commands configure include interface commands configure include ip commands exec include disable commands exec include configure commands configure include interface Loopback1
Everything worked as I wanted, thanks for your help, but now I have two questions:
Do we always need to specify the view we want to access, Can’t the device do it automatically based on the authentication ?
Why does user “client” is available to access to the default view if I just specified this user to view “client”?
You almost got it, try this:
aaa authorization exec list_1 local line vty 0 15 authorization exec list_1 login authentication list_1
This should help to get remote users in the correct view right away.
Also, in your example you used “line vty 15”. You should use “line vty 0 15” to apply it to all 16 VTY lines. Be aware of your client user, don’t use “privilige 15” there…
Fantastic it worked as expected!!, many thanks for your help!!
Great lesson however, I have question. During my test I created a user with level 2 privilege and I want user to only use the following commands.
“sh ip interface brief” and “configure terminal”
But when I was configuring I configured only " sh ip interface brief" and configure terminal. After that when I did show run I found extra lines in the configs which includes
“show IP” and “show”. I was able to block only “show run” and rest of the commands are available e.g sh ip arp etc.
In my opinion I should be able to see only " configure terminal and show ip interface brief. Question why I am seeing the rest of the commands they should be restricted.
privilege exec level 2 configure terminal privilege exec level 2 configure privilege exec level 2 show ip interface brief privilege exec level 2 show ip interface privilege exec level 2 show ip privilege exec level 2 show
Please confirm this.
By default, a privilege level two user will have access to quite some show commands. If you want to create users that are only allowed to use a couple of commands then maybe RBAC works better. I don’t have an example for this right now but the Cisco website does:
If you have an account created, how to do test it to make sure it’s working before using it?
How do you test a fail over account incase tacacs fail
You mean a local account? Just make sure your router/switch is unable to reach the TACACS+ server and it will attempt local authentication.
If you enable debug aaa authentication then the router will show you which authentication method it will select.
Rene I issued these command on a managed switched
tacacs-server host 192.168.x.x key password aaa authentication login default group tacacs+ local aaa authentication enable default group tacacs+ enable ip tacacs source-interface vlan2 test aaa group tacacs username password legacy
i got the error msg below. did somebody issued authorization command when working on the device ?
Command authorization failed.
If you enable debug aaa authentication, what do you see?