topic AAA Local Authorization.... in Network Access Control

AAA Local Authorization....

darrenj — Sun, 10 Mar 2019 21:36:02 GMT

Hello all. Hopefully, this will prove to be an easy question with a simple answer!

I want to configure local username/passwords on my router, with different privilege levels. For example username admin is only allowed to access privilege level 1 commands, and username engineer is allowed to enter all comands (level 15). However, when I test this via console or telnet, both go into user mode to start with (Router>) and I can enter enable mode on both username logins by entering the enable password (Router#). Therefore, both username's have the same access rights (to all commands) even though they have different privilege levels. I thought the privilege level 1 account would not be allowed to issue level15 commands?

Can anyone point me in the right direction.....

aaa new-model

aaa authentication login default local

aaa authorization commands 1 default local

aaa authorization commands 15 default local

enable secret test

username admin privilege 1 password cisco1

username engineer privilege 15 password cisco2

Thanks.

Re: AAA Local Authorization....

Richard Burts — Thu, 25 May 2006 14:53:48 GMT

Darren

It seems to me that there is a fairly simple solution to your situation: do not give the enable password to users who should be restricted to level 1 commands.

No matter what privilege level they start at, anyone who can enter the correct enable password (or enable secret) will gain level 15 access.

HTH

Rick

Re: AAA Local Authorization....

darrenj — Thu, 25 May 2006 15:03:06 GMT

Thanks Rick for the response. Like you say, there is a simple solution, but it makes me wonder why would you want to configure a privilege level if it doesn't have any effect?

Or does it have its uses elsewhere.....

Re: AAA Local Authorization....

evictor — Wed, 21 Jun 2006 20:57:05 GMT

Just typing enable defaults to enable 15

Careful look at the following commands should answer your question

Router6>enable ?

<0-15> Enable level

Router6(config)#enable password ?

0 Specifies an UNENCRYPTED password will follow

7 Specifies a HIDDEN password will follow

LINE The UNENCRYPTED (cleartext) 'enable' password

level Set exec level password

Router6(config)#enable password le

Router6(config)#enable password level ?

<1-15> Level number

Victor

Re: AAA Local Authorization....

davidkeedy — Thu, 06 Jul 2006 17:56:36 GMT

Is your ACS server configured with advanced tacacs+ settings? If so, under user setup, you can select "No enable privilege". They will not be allowed to enter enable mode even if they enter the correct password. With regard to local usernames and passwords, it only states what level they can start at. If they know the enable password, then they can get to enable mode.

Re: AAA Local Authorization....

viveksantuka — Fri, 07 Jul 2006 08:32:57 GMT

Darren,

The privilege levels are used when you do not want to give full level 15 access to someone but only some commands.

For example you may want a tech. to be able to change the bandwidth of an interface and nothing else. So we reduce the privilege level of the interface bandwidth command to say 10 and give the tech level 10 access.