topic Re: aaa authorisation exec and aaa authorisation commands in Network Access Control

aaa authorisation exec and aaa authorisation commands

D@1984 — Fri, 21 Feb 2020 19:01:54 GMT

I'm trying to understand whats the difference between two commands above? I have created two local users on my router, one with privilege level of 15 and the other with Pri level of 7. then I deployed aaa authorisation commands 15 and aaa authorisation commands 1. I tested my config using both users, and although they had different level set, I could get to all commands with both users account until I added 'aaa authorisation exec' command and that fixed the issue. now it seems to me that users with different privilege mode doesn't work until we configure 'aaa authorisation exec', but my question is whats the point of configuring aaa authorisation commands then ?

I had a very basic aaa config on my router:

aaa new-model
aaa authentication login default group tacacs+ group radius local
aaa authentication enable default none
aaa authorization config-commands
aaa authorization exec default local
aaa authorization commands 15 default group tacacs+ local
aaa session-id common

username lele privilege 15 password 7 023F05480A0B062F6C1F504151
username admin privilege 3 password 7 033D5A18070228426E58405D43

Re: aaa authorisation exec and aaa authorisation commands

balaji.bandi — Fri, 28 Sep 2018 21:22:55 GMT

commands - Runs authorization for all commands at the specified privilege level.

exec - Runs authorization to determine if the user is allowed to run an EXEC shell. This facility might return user profile information such as autocommand information.

Privilege level 0 — includes the disable, enable, exit, help, and logout commands.
Privilege level 1 — Normal level on Telnet; includes all user-level commands at the router> prompt.
Privilege level 15 — includes all enable-level commands at the router# prompt.

Re: aaa authorisation exec and aaa authorisation commands

D@1984 — Sun, 30 Sep 2018 19:00:25 GMT

Thanks but I still dont understand the differenc. From my lab, I found out that I need aaa authorisation exec If I have users with different privilege mode. each privilege mode has set of commands defined that based on that I have access to those commands, now whats aaa authorization commands does?

Re: aaa authorisation exec and aaa authorisation commands

Marvin Rhoads — Mon, 01 Oct 2018 01:54:02 GMT

To authorize administrative sessions at differentiated levels, you have to use the exec service.

When EXEC authorization has been enabled, the device will send a TACACS+ authorization request to the AAA server immediately after authentication to check whether the user is allowed to start an administrative session.

Without it, the device cannot distinguish between the authorization levels allowed for the various users' privilege levels. If you only have a single privilege level then "aaa authorization" alone suffices.

Re: aaa authorisation exec and aaa authorisation commands

D@1984 — Mon, 01 Oct 2018 23:12:53 GMT

many thanks.

Is there any lab that you could refer me to so I could understand this better? I also have configured RBAC and assign the view to a user:

username test1 view test secret TEST123

parser view test

secret TEST123

commands exec include show version

commands configure include all intreface

when I ssh to my router using test1 username, unless I type enable view test, then I have access to all commands!

what I'm trying to achieve is to have different users, and control what access they can have each.

many thanks

Re: aaa authorisation exec and aaa authorisation commands

Marvin Rhoads — Tue, 02 Oct 2018 07:09:53 GMT

Most people accomplish this on their ACS or ISE AAA server. For that, you can see some good videos on labminutes. For example:

https://www.youtube.com/watch?v=ywYSJ7i7HV4