AAA Local Command Authorization

Hi Rene,

Good and informative!

Is there any documentation that list the privilege levels and their associated commands.
I would like to know what privilege level 14 can and can’t do. I know level 15 does everything, but how about other privilege levels? What commands are they able to execute by default and what commands are they not able to execute by default? I would like to know what commands each privilege level is able to execute by default - from privilege level 0 to privilege level 14.

Thanks,

Mohamed

Hi Mohamed F,

By default, Cisco has 3 privilege enabled. The 3 privileges are:

privilege level 0 — Includes the disable, enable, exit, help, and logout commands.
privilege level 1 — Normal level on Telnet; includes all user-level commands at the router> prompt.
privilege level 15 — Includes all enable-level commands at the router# prompt.

Since Cisco IOS Release 10.3, Cisco routers enable an administrator to configure multiple privilege levels. Configuring privilege levels is especially useful in a help desk environment where certain administrators must be able to configure and monitor every part of the router (level 15), and other administrators need only to monitor, not configure, the router (customized levels 2 to 14).

So as an answer to your question: the commands list per privilege level from 2 to 14 is defined by the administrator.

An administrator can define multiple customized privilege levels and assign different commands to each level. The higher the privilege level, the more router access a user has. Commands that are available at lower privilege levels are also executable at higher levels, because a privilege level includes the privileges of all lower levels. For example, a user authorized for privilege level 10 is granted access to commands allowed at privilege levels 0 through 10 (if also defined). A privilege-level-10 user cannot access commands granted to privilege level 11 (or higher). A user authorized for privilege level 15 can execute all Cisco IOS commands.

Hope I could answer your question.

Source: Cisco.com

19 posts were merged into an existing topic: AAA Local Command Authorization

Hi team,

I read in Cisco documentation that privilege interface level 8 no shutdown will set both no and shutdown to privilege level 8.
If by mistake I enter after that privilege interface level 9 no, will this command make my no shutdown unusable in privilege level 8?

Second question, in the lesson example you used local username. If I want to use AAA server, is TACACS+ mandatory or can I use RADIUS?

Thanks,

Hello David

I labbed this up to be sure. Initially, I issued the privilege interface level 8 no shutdown command. I then took a look at the running config and found this:

privilege interface level 8 shutdown
privilege interface level 8 no shutdown
privilege interface level 8 no

So by default, the full command as well as each individual keyword is added as a separate command

I then proceeded with the privilege interface level 9 no command and got this result in the running config:

privilege interface level 8 shutdown
privilege interface level 8 no shutdown
privilege interface level 9 no

Notice that the no shutdown command as a whole is still level 8, but the no command alone is level 9. Even so, this no keyword will make the no shutdown command unavailable for a user on privilege level 8.

You can use either TACACS+ or RADIUS for your AAA server. You can find out more about how to do this at the following lesson:

I hope this has been helpful!

Laz

definitely it’s on the switch or on the router please
hello Rene

Hello Takam

This configuration in the lesson is performed on a Cisco IOS router. However, the configuration of AAA local command authorization is very similar on a switch. The following configuration guide for example, shows how to apply this to a Cisco 3850 switch.

I hope this has been helpful!

Laz

Hello!

I would like to verify a few things

1. The privilege exec level x cmd command is for configuring the exec modes while privilege configure allows the user to access a certain configuration mode, like the interface for example?

2. And please, why doesn’t this work? I am running this router in Cisco CML.
   

   

   obrázok514×136 2.25 KB

Kind regards,
David

Hello David!

You are correct on your first point. The privilege exec level x cmd command is used to set the minimum privilege level required to execute a command in exec mode. On the other hand, ‘privilege configure’ is used to set the minimum privilege level required to execute a command in configuration mode.

Now the behavior of your scenario is quite interesting. I recreated it in the lab and confirmed this behavior. The command show running-config is indeed allowed, and you can see this because you don’t have an error message stating % Invalid input detected at '^' marker. The command has run successfully, so your privilege configuration is correct.

The reason you see no output is that while the command is recognized (and not invalid), the device’s security settings prevent the display of configuration details at that current privilege level. It’s a security measure to prevent unauthorized viewing of sensitive configuration details. So the privilege level doesn’t have the necessary rights to output the config file info on the screen.

I did some further experimentation and found that even privilege level 14 does not display the running configuration information on the screen. Only level 15.

I learned something new today!

I hope this has been helpful!

Laz

Hello Laz,

I just had a few questions about the contents of this lesson, as well as a some questions regarding the use of a Radius/TACACS server for authorization:

1. For the 3 default privilege levels (Level 0, 1, and 15) I understand that there are a range of commands that are accessible to users depending on which of those levels their credentials fall under, but my question is arent those levels also associated with what mode that user is dropped into once they successfully log into the Router/switch? For example, if I configure:

username admin privilege 15 password cisco
username tech password cisco123
username reader privilege 0 password cisco12345

then anytime “admin” logs into the router/switch via the console port or VTY lines then we would end up in privileged exec mode (Hostname #), regardless if we have an enable password configured to get from user exec to privileged exec correct?

On the other hand, “tech” would end up in user exec mode (Hostname >) since it has privilege level of 1, and “reader” would end up in user exec mode as well, except only 5 commands would be available, such as “enable”, since this user has privilege level 0. Both of these users would have to input the enable password in order to go into privileged exec mode. Is my understanding here correct? Please assume the only authentication that is configured in the Router/switch in this scenario is “login local” under the VTY lines and the console port.

2. My next question involves applying privilege levels directly to the console port/ VTY lines so that upon successful authentication all users can go straight into privileged exec mode (hostname #). If my understanding from the previous question is correct, then user admin would go straight into privileged exec mode due to its privilege level 15 after it authenticates with the router regardless of whether we are using the console port or the VTY lines for SSH/Telnet. But what if we wanted the same for user “tech” who has a privilege of 1? Couldnt we apply the “privilege level 15” command directly on the VTY lines and Console port to achieve this?

Some additional questions regarding authorization with the use of a radius/tacacs server:

Assume we had a router with the following AAA config to authenticate/authorize:

aaa new-model

radius server EXAMPLE1
address ipv4 10.1.1.1 auth-port 1812 acct-port 1813
key cisco123

radius server EXAMPLE2
address ipv4 10.1.1.2 auth-port 1812 acct-port 1813
key cisco123

aaa group server radius TEST
server name EXAMPLE1
server name EXAMPLE2

aaa authentication login default group TEST local
aaa authorization exec default group TEST if-authenticated

My first question revolves around authorization for the exec shell. I understand this is supposed to determine if users are authorized to start an “exec” shell according to cisco. In my example above, this is checked by first checking with the TEST group, then relying on if the user was successfully authenticated to determine if the user is allowed to start an exec shell, but what exactly is meant by “exec shell” here, is it just the CLI? and does that mean that the CLI wont even start if a user fails authorization?

My last question involves the use of the aaa authorization commands command. If we were to use “aaa authorization commands 15 default group TEST local none” I understand it would authorize by checking with the TEST group and then relying on local command authorization if that fails, and then not doing any authorization at all if the first two methods fail, but I dont understand how this works. Are we only allowing commands associated with privilege 15 to be used if they are authorized? I know Radius cannot do command authorization so lets pretend were using tacacs just for this last question.

Thank You
Laz

Hello Paul

I’ll do my best to answer all of your questions.

Yes, your understanding is correct. The privilege level is associated with the mode the user is dropped into after they successfully log into the router/switch. A user with privilege 15 will be dropped into privileged exec mode (Hostname# prompt), regardless of whether an enable password is configured. On the other hand, users with privileges 0 or 1 will be dropped into user exec mode (Hostname> prompt) and will need to input the enable password to enter privileged exec mode. By default, if a user enters the enable command and the password, they are elevated to privilege level 15 regardless of their original privilege level.

Under the configuration of the VTY lines, if you issue the privilege level 15 command, you are essentially telling the router that anyone who connects via this VTY line will be given privilege level 15. This command overrides any user privilege levels you have set. Note that this is the case for all connections via VTYs across the board. This command should be used carefully since it essentially negates any user privileges you have set for security purposes. Take a look at this Cisco command reference documentation for more information:

The “exec shell” in the context of AAA refers to the CLI environment that a user interacts with after logging into the device. The term “shell” in computing originates from the idea that the CLI acts as an outer layer or “shell” around the core operating system, providing an interface through which users can interact with the system. This term is used for all CLI interfaces including those found in Unix, Linux, Windows, Macs and other operating environments. So when a user passes authentication, the device checks with the AAA server to determine if the user has authorization to start an exec session (CLI) . If the user fails authorization, the CLI session will not start.

The aaa authorization commands 15 default group TEST local none command checks if the user is authorized to execute commands associated with privilege level 15. If the AAA server (in this case the TEST group) does not respond, the router falls back to the local command authorization. If that fails, no authorization is done. You’re correct in saying that RADIUS doesn’t support command authorization, so in this case, TACACS+ would be used.

I hope this has been helpful!

Laz

Hello, everyone.

If privilege level 0 exists on the device by default, is it really used by anything? Once you log into a device, you’ll be in the user mode which uses priv. level 1 while if you type enable, you’ll be in privileged mode with a priv. level of 15. Does 0 ever come into play on Cisco IOS?

Thank you.
David

Hello David

By default, you log in to a privilege level of 1, and you can enable to go to 15. To go to level 0, you must explicitly state it like so:

R3#enable 0
R3>

I did a bit more experimenting and I was able to use disable to get back to level 1. But if I get to level 0 and issue the disable command, this is the result:

R3>enable 0
R3>disable
New privilege level must be less than current privilege level
R3>

So the disable command actually brings us back to privilege level 1, but it cannot be used when you’re in privilege level 0, because it’s not allowed to bring you to a higher privilege level than the one you are on. One more thing before I go on… Here you can see the available commands for privilege level 0:

R3>?
Exec commands:
  disable  Turn off privileged commands
  enable   Turn on privileged commands
  exit     Exit from the EXEC
  help     Description of the interactive help system
  logout   Exit from the EXEC

R3>

Now, the truth is that level 0 is not used often and has limited usefulness. However, level 0 is reserved for edge cases where administrators need to restrict users to a minimal set of commands or override default command privileges for security policies.

A couple of use cases I can think of include:

1. You administer the mission-critical network for a bank or an ISP. You have a new team member on your network administration staff and you want to onboard them onto the system. You can start by creating a user with privilege level 0 onto the network devices to ensure that they can’t accidentally bring down the network or view passwords or other security-related information. You can then selectively map additional commands to that user. This ensures that the user has not been given any potentially damaging powers on the network.
2. You may want to restrict a specific user’s access in one fell swoop but allow them to still log in. You can do this by reassigning the privilege level of the specific user to 0.

Indeed, it’s not used too often, but it can be useful in some cases.

I hope this has been helpful!

Laz