https://community.cisco.com/t5/network-access-control/command-authorization-using-local-user-database/m-p/535059#M426740 <P>Pls, does anybody know how to configure exec and privilege level command authorization based on local user database.</P><P></P><P>I tried that, but I haven't done it yet.</P><P></P><P>pls., write me a short step-by-step procedure.</P><P></P><P></P><P>Here is commands which I have configured. Something still missing I thing. Am I right?</P><P></P><P>username admin privilege 15 password 0 adm</P><P>username limited privilege 5 password 0 lim</P><P>aaa new-model</P><P>aaa authentication login default local</P><P>aaa authorization config-commands</P><P>aaa authorization exec default local</P><P>aaa authorization commands 5 default local</P><P>aaa authorization commands 15 default local</P><P></P><P>privilege exec level 5 sh ver</P><P>privilege exec level 5 sh ip int</P><P>privilege exec level 5 sh ip int brief</P><P></P><P>And finally, I am still able to do "en"(enable) command in exec mode - for example</P><P></P><P>thx a lot</P> Sun, 10 Mar 2019 21:41:24 GMT morbfrhtc 2019-03-10T21:41:24Z https://community.cisco.com/t5/network-access-control/command-authorization-using-local-user-database/m-p/535059#M426740 <P>Pls, does anybody know how to configure exec and privilege level command authorization based on local user database.</P><P></P><P>I tried that, but I haven't done it yet.</P><P></P><P>pls., write me a short step-by-step procedure.</P><P></P><P></P><P>Here is commands which I have configured. Something still missing I thing. Am I right?</P><P></P><P>username admin privilege 15 password 0 adm</P><P>username limited privilege 5 password 0 lim</P><P>aaa new-model</P><P>aaa authentication login default local</P><P>aaa authorization config-commands</P><P>aaa authorization exec default local</P><P>aaa authorization commands 5 default local</P><P>aaa authorization commands 15 default local</P><P></P><P>privilege exec level 5 sh ver</P><P>privilege exec level 5 sh ip int</P><P>privilege exec level 5 sh ip int brief</P><P></P><P>And finally, I am still able to do "en"(enable) command in exec mode - for example</P><P></P><P>thx a lot</P> Sun, 10 Mar 2019 21:41:24 GMT https://community.cisco.com/t5/network-access-control/command-authorization-using-local-user-database/m-p/535059#M426740 morbfrhtc 2019-03-10T21:41:24Z https://community.cisco.com/t5/network-access-control/command-authorization-using-local-user-database/m-p/535060#M426741 <HTML><HEAD></HEAD><BODY><P>Keep in mind though that "en" is a level 1 command, it has to be, otherwise you'd never be able to get out of level 1 into another level, right?</P><P></P><P>You've only set up authorization for level 5 commands, but this will still allow the user to do any level 1 commands (like "en" or even "quit").</P><P></P><P>You could move the enable command up to a level higher than level 5. Given that when you login as "admin" you'll go straight to level 15 access this would be OK, make sure you never remove that user though otherwise you'll never be able to get into "en" mode cause you won't have any users with the right privilege level to run it. </P></BODY></HTML> Tue, 08 Aug 2006 04:44:00 GMT https://community.cisco.com/t5/network-access-control/command-authorization-using-local-user-database/m-p/535060#M426741 gfullage 2006-08-08T04:44:00Z https://community.cisco.com/t5/network-access-control/command-authorization-using-local-user-database/m-p/535061#M426746 <HTML><HEAD></HEAD><BODY><P>hi there since u are using local aaa. u have to specify the privilege levels and the commands the users are allowed to use. and since the level5 user is above level1 he will by default have access to all level 1 commands. to restrict the commands u can use a external acs. in which u can restrict each of the commands the user is trying to access. that will give u minute control. </P><P></P><P>regards </P><P></P><P>sebastan</P></BODY></HTML> Thu, 10 Aug 2006 14:38:36 GMT https://community.cisco.com/t5/network-access-control/command-authorization-using-local-user-database/m-p/535061#M426746 sebastan_bach 2006-08-10T14:38:36Z