AAA Local Command Authorization

This topic is to discuss the following lesson:

https://networklessons.com/cisco/ccie-routing-switching/aaa-local-command-authorization/

very good

Very well written, thanks !!

Hey Rene,

Is there a show command or an overview that show all available commands for each privilege level?
For instance:

Show commands privilege level 7
???

Hi Bülent,

Hmm I don’t think there is, what I normally do is a quick “sh run | incl privilege” on the router and it will show you all the commands that have been moved to different privilege levels.

Rene

thank you Rene

Hi Rene, can you write commands about SSH user wich have different privilage level. for example one user is root and one user is guest, guest must have some restricted commands

Hi George,

I’ll create a blog post on this soon, you can use different privilege levels and assign different commands to each of them. This might be useful to create an account for a ‘superuser’ who can do anything and perhaps a ‘guest’ account that is able to use show commands or a ‘trainee’ account that only has access to a few configure commands.

Rene

Based on George’s reply I tried to create two usernames with differents privilege leves:

username newbie privilege 8 secret 5 $1$BiPz$TLuUEbPhyDEgnwQiOC5y0/ (cisco) 
username senior privilege 15 secret 5 $1$G2Ym$.1hVi/NAd1qz2/FBS7xaO0 (cisco)

I want user newibe to able to enter show commads :

privilege exec level 8 show

I wanted user senior to able to enter configure commands :

privilege exec level 15 configure

Then I enter the AAA configuration :

aaa new-model

aaa authentication login list1 local

aaa authorization exec l1 local

Then I Applied it to the line VTY 0 4

line vty 0 4
 authorization exec l1
 login authentication list1

Of course I configured the ENA Password :

enable secret 5 $1$la.q$EjYxrP4hcerlF88c1GX4e/ (ena)

Then I tried to access the device via telnet with a user newbie :

R2(config-if)#do telnet 192.168.1.1
Trying 192.168.1.1 ... Open


User Access Verification

Username: newbie
Password:

R1>ena
Password:
R1#show privilege
Current privilege level is 15

I don’t know what is the dummy mistake I have here, can you assist ?

What are you thoughts ?

Hi Miguel,

Do you require AAA for anything except this? You don’t need it for the privilege levels.

These lines you don’t need:

privilege exec level 8 show
privilege exec level 15 configure

Privilege level 8 already has show commands and level 15 already has everything. A level 8 user will be able to use show commands but no configure commands.

Once you login, you should get right into the right privilege level but it seems you end up in level 0. Once you type enable, you get into level 15.

For example in my example above you can see that once the level 8 user connects that I end up in level 8 immediately.

I can also give you an example for role based CLI. This is similar but then we can create users that have 0 commands by default and then we can add the ones we need.

Rene

Hi Rene,

Pretty much I wanted different users to be able to access the device via telnet, I wanted user newbie to be able to just execute show commands, then I wanted user senior to have full rights, I mean to able to execute any command.

I understood my mistake, I already configured the default view and the “client” view

aaa authentication login list_1 local

enable secret 5 $1$wxp3$S6xiGOONqckW8nW1UvOD00 (ena)


username cisco secret 5 $1$GeiB$esuKyqDcf.Q1xyKyHifRx0
username client privilege 15 view client secret 5 $1$O0ES$Lk3l5Dap7UWiJoudqQXeV1

line vty 15
 login authentication list_1
 transport input ssh
parser view client
 secret 5 $1$lNG0$Urju2CMjNaI7uOnQJvVho1
 commands interface include loopback
 commands interface include ip
 commands configure include interface
 commands configure include ip
 commands exec include disable
 commands exec include configure
 commands configure include interface Loopback1

Everything worked as I wanted, thanks for your help, but now I have two questions:

Do we always need to specify the view we want to access, Can’t the device do it automatically based on the authentication ?

Why does user “client” is available to access to the default view if I just specified this user to view “client”?

Hi Miguel,

You almost got it, try this:

aaa authorization exec list_1 local

line vty 0 15
 authorization exec list_1
 login authentication list_1

This should help to get remote users in the correct view right away.

Also, in your example you used “line vty 15”. You should use “line vty 0 15” to apply it to all 16 VTY lines. Be aware of your client user, don’t use “privilige 15” there…

Rene

Fantastic it worked as expected!!, many thanks for your help!!

Rene,
Great lesson however, I have question. During my test I created a user with level 2 privilege and I want user to only use the following commands.
“sh ip interface brief” and “configure terminal”
But when I was configuring I configured only " sh ip interface brief" and configure terminal. After that when I did show run I found extra lines in the configs which includes
“show IP” and “show”. I was able to block only “show run” and rest of the commands are available e.g sh ip arp etc.

In my opinion I should be able to see only " configure terminal and show ip interface brief. Question why I am seeing the rest of the commands they should be restricted.

privilege exec level 2 configure terminal
privilege exec level 2 configure
privilege exec level 2 show ip interface brief
privilege exec level 2 show ip interface
privilege exec level 2 show ip
privilege exec level 2 show

Please confirm this.
Thanks
Hamood

Hi Hamood,

By default, a privilege level two user will have access to quite some show commands. If you want to create users that are only allowed to use a couple of commands then maybe RBAC works better. I don’t have an example for this right now but the Cisco website does:

http://www.cisco.com/en/US/docs/ios/12_3t/12_3t7/feature/guide/gtclivws.html

Rene

If you have an account created, how to do test it to make sure it’s working before using it?

How do you test a fail over account incase tacacs fail

Hi Ebenezer,

You mean a local account? Just make sure your router/switch is unable to reach the TACACS+ server and it will attempt local authentication.

If you enable debug aaa authentication then the router will show you which authentication method it will select.

Rene

Rene I issued these command on a managed switched

tacacs-server host 192.168.x.x key password
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
ip tacacs source-interface vlan2
test aaa group tacacs username password legacy

i got the error msg below. did somebody issued authorization command when working on the device ?
Command authorization failed.
Eb

Hi Eb,

If you enable debug aaa authentication, what do you see?

Rene