AAA Local Command Authorization

Hey Rene,

Is there a show command or an overview that show all available commands for each privilege level?
For instance:

Show commands privilege level 7
???

Hi Bülent,

Hmm I don’t think there is, what I normally do is a quick “sh run | incl privilege” on the router and it will show you all the commands that have been moved to different privilege levels.

Rene

thank you Rene

Hi Rene, can you write commands about SSH user wich have different privilage level. for example one user is root and one user is guest, guest must have some restricted commands

Hi George,

I’ll create a blog post on this soon, you can use different privilege levels and assign different commands to each of them. This might be useful to create an account for a ‘superuser’ who can do anything and perhaps a ‘guest’ account that is able to use show commands or a ‘trainee’ account that only has access to a few configure commands.

Rene

Based on George’s reply I tried to create two usernames with differents privilege leves:

username newbie privilege 8 secret 5 $1$BiPz$TLuUEbPhyDEgnwQiOC5y0/ (cisco) 
username senior privilege 15 secret 5 $1$G2Ym$.1hVi/NAd1qz2/FBS7xaO0 (cisco)

I want user newibe to able to enter show commads :

privilege exec level 8 show

I wanted user senior to able to enter configure commands :

privilege exec level 15 configure

Then I enter the AAA configuration :

aaa new-model

aaa authentication login list1 local

aaa authorization exec l1 local

Then I Applied it to the line VTY 0 4

line vty 0 4
 authorization exec l1
 login authentication list1

Of course I configured the ENA Password :

enable secret 5 $1$la.q$EjYxrP4hcerlF88c1GX4e/ (ena)

Then I tried to access the device via telnet with a user newbie :

R2(config-if)#do telnet 192.168.1.1
Trying 192.168.1.1 ... Open


User Access Verification

Username: newbie
Password:

R1>ena
Password:
R1#show privilege
Current privilege level is 15

I don’t know what is the dummy mistake I have here, can you assist ?

What are you thoughts ?

Hi Miguel,

Do you require AAA for anything except this? You don’t need it for the privilege levels.

These lines you don’t need:

privilege exec level 8 show
privilege exec level 15 configure

Privilege level 8 already has show commands and level 15 already has everything. A level 8 user will be able to use show commands but no configure commands.

Once you login, you should get right into the right privilege level but it seems you end up in level 0. Once you type enable, you get into level 15.

For example in my example above you can see that once the level 8 user connects that I end up in level 8 immediately.

I can also give you an example for role based CLI. This is similar but then we can create users that have 0 commands by default and then we can add the ones we need.

Rene

Hi Rene,

Pretty much I wanted different users to be able to access the device via telnet, I wanted user newbie to be able to just execute show commands, then I wanted user senior to have full rights, I mean to able to execute any command.

I understood my mistake, I already configured the default view and the “client” view

aaa authentication login list_1 local

enable secret 5 $1$wxp3$S6xiGOONqckW8nW1UvOD00 (ena)


username cisco secret 5 $1$GeiB$esuKyqDcf.Q1xyKyHifRx0
username client privilege 15 view client secret 5 $1$O0ES$Lk3l5Dap7UWiJoudqQXeV1

line vty 15
 login authentication list_1
 transport input ssh
parser view client
 secret 5 $1$lNG0$Urju2CMjNaI7uOnQJvVho1
 commands interface include loopback
 commands interface include ip
 commands configure include interface
 commands configure include ip
 commands exec include disable
 commands exec include configure
 commands configure include interface Loopback1

Everything worked as I wanted, thanks for your help, but now I have two questions:

Do we always need to specify the view we want to access, Can’t the device do it automatically based on the authentication ?

Why does user “client” is available to access to the default view if I just specified this user to view “client”?

Hi Miguel,

You almost got it, try this:

aaa authorization exec list_1 local

line vty 0 15
 authorization exec list_1
 login authentication list_1

This should help to get remote users in the correct view right away.

Also, in your example you used “line vty 15”. You should use “line vty 0 15” to apply it to all 16 VTY lines. Be aware of your client user, don’t use “privilige 15” there…

Rene

Fantastic it worked as expected!!, many thanks for your help!!

Rene,
Great lesson however, I have question. During my test I created a user with level 2 privilege and I want user to only use the following commands.
“sh ip interface brief” and “configure terminal”
But when I was configuring I configured only " sh ip interface brief" and configure terminal. After that when I did show run I found extra lines in the configs which includes
“show IP” and “show”. I was able to block only “show run” and rest of the commands are available e.g sh ip arp etc.

In my opinion I should be able to see only " configure terminal and show ip interface brief. Question why I am seeing the rest of the commands they should be restricted.

privilege exec level 2 configure terminal
privilege exec level 2 configure
privilege exec level 2 show ip interface brief
privilege exec level 2 show ip interface
privilege exec level 2 show ip
privilege exec level 2 show

Please confirm this.
Thanks
Hamood

Hi Hamood,

By default, a privilege level two user will have access to quite some show commands. If you want to create users that are only allowed to use a couple of commands then maybe RBAC works better. I don’t have an example for this right now but the Cisco website does:

http://www.cisco.com/en/US/docs/ios/12_3t/12_3t7/feature/guide/gtclivws.html

Rene

If you have an account created, how to do test it to make sure it’s working before using it?

How do you test a fail over account incase tacacs fail

Hi Ebenezer,

You mean a local account? Just make sure your router/switch is unable to reach the TACACS+ server and it will attempt local authentication.

If you enable debug aaa authentication then the router will show you which authentication method it will select.

Rene

Rene I issued these command on a managed switched

tacacs-server host 192.168.x.x key password
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
ip tacacs source-interface vlan2
test aaa group tacacs username password legacy

i got the error msg below. did somebody issued authorization command when working on the device ?
Command authorization failed.
Eb

Hi Eb,

If you enable debug aaa authentication, what do you see?

Rene

Hi Rene,

Good and informative!

Is there any documentation that list the privilege levels and their associated commands.
I would like to know what privilege level 14 can and can’t do. I know level 15 does everything, but how about other privilege levels? What commands are they able to execute by default and what commands are they not able to execute by default? I would like to know what commands each privilege level is able to execute by default - from privilege level 0 to privilege level 14.

Thanks,

Mohamed

Hi Mohamed F,

By default, Cisco has 3 privilege enabled. The 3 privileges are:

privilege level 0 — Includes the disable, enable, exit, help, and logout commands.
privilege level 1 — Normal level on Telnet; includes all user-level commands at the router> prompt.
privilege level 15 — Includes all enable-level commands at the router# prompt.

Since Cisco IOS Release 10.3, Cisco routers enable an administrator to configure multiple privilege levels. Configuring privilege levels is especially useful in a help desk environment where certain administrators must be able to configure and monitor every part of the router (level 15), and other administrators need only to monitor, not configure, the router (customized levels 2 to 14).

So as an answer to your question: the commands list per privilege level from 2 to 14 is defined by the administrator.

An administrator can define multiple customized privilege levels and assign different commands to each level. The higher the privilege level, the more router access a user has. Commands that are available at lower privilege levels are also executable at higher levels, because a privilege level includes the privileges of all lower levels. For example, a user authorized for privilege level 10 is granted access to commands allowed at privilege levels 0 through 10 (if also defined). A privilege-level-10 user cannot access commands granted to privilege level 11 (or higher). A user authorized for privilege level 15 can execute all Cisco IOS commands.

Hope I could answer your question.

Source: Cisco.com

19 posts were merged into an existing topic: AAA Local Command Authorization