topic Re: Reducing the required Privilege Level to write to memory in Network Access Control

Reducing the required Privilege Level to write to memory

JXGulotta — Fri, 07 Jun 2024 12:52:49 GMT

Hello all,

I'm currently running a C9300 on 17.03.03 firmware. My security team has an AD RADIUS server that we have programmed into AAA which provides user groups with a privilege level. One of these privilege levels is for junior network admins to make basic changes like switch a vlan on a port, however I've come across an error that they're hitting when trying to write these changes to memory.

Switch#copy run start Destination filename [startup-config]? startup-config file open failed (Permission denied) Switch#wr mem startup-config file open failed (Permission denied)

For transparency, here is the full permission 14 list:

privilege interface level 14 power inline privilege interface level 14 power privilege interface level 14 shutdown privilege interface level 14 ip address privilege interface level 14 ip privilege interface level 14 switchport privilege interface level 14 no power inline privilege interface level 14 no power privilege interface level 14 no shutdown privilege interface level 14 no ip address privilege interface level 14 no ip privilege interface level 14 no switchport privilege interface level 14 description privilege interface level 14 no description privilege interface level 14 no privilege configure level 14 interface privilege exec level 14 write memory privilege exec level 14 write privilege exec level 14 configure terminal privilege exec level 14 configure privilege exec level 15 reload privilege exec level 14 test cable-diagnostics tdr interface privilege exec level 14 test cable-diagnostics tdr privilege exec level 14 test cable-diagnostics privilege exec level 14 test privilege exec level 14 show cable-diagnostics tdr interface privilege exec level 14 show cable-diagnostics tdr privilege exec level 14 show cable-diagnostics privilege exec level 14 show device-tracking database interface privilege exec level 14 show device-tracking database privilege exec level 14 show device-tracking privilege exec level 14 show ip interface privilege exec level 14 show ip privilege exec level 14 show running-config privilege exec level 14 show

Any assistance would be greatly appreciated.

Re: Reducing the required Privilege Level to write to memory

M02@rt37 — Fri, 07 Jun 2024 13:02:23 GMT

Hello @JXGulotta,

To resolve this, you need to add the write memory privilege at the appropriate level. You have already added privilege exec level 14 write memory, but you need to ensure that the write command also includes the copy running-config startup-config subcommand at the same level.

Switch(config)# privilege exec level 14 copy running-config startup-config
Switch(config)# privilege exec level 14 copy running-config

--Verify that the privilege levels are correctly set:

Switch# show privilege

Re: Reducing the required Privilege Level to write to memory

JXGulotta — Fri, 07 Jun 2024 13:13:24 GMT

Hello M02@rt37,

I've confirmed that my test account is at the correct priv level and input the lines you've outlined above, but I'm still getting the same error: startup-config file open failed (Permission denied)

Re: Reducing the required Privilege Level to write to memory

MHM Cisco World — Fri, 07 Jun 2024 13:20:43 GMT

Access via User

Show privilege

It must be 14.

Share output here

MHM

Re: Reducing the required Privilege Level to write to memory

JXGulotta — Fri, 07 Jun 2024 13:22:30 GMT

Switch#sh pri
Current privilege level is 14

Re: Reducing the required Privilege Level to write to memory

MHM Cisco World — Fri, 07 Jun 2024 13:26:26 GMT

Did you use any

Aaa authorization command?

MHM

Re: Reducing the required Privilege Level to write to memory

JXGulotta — Fri, 07 Jun 2024 13:31:07 GMT

aaa new-model
!
!
aaa group server radius servergroup
server name servername
server name servername
!
aaa authentication login default group servergroup local
aaa authentication enable default group servergroup enable
aaa authorization config-commands
aaa authorization exec default group servergroup local
aaa authorization configuration default group servergroup
aaa accounting exec default start-stop group servergroup
!

aaa session-id common

Re: Reducing the required Privilege Level to write to memory

MHM Cisco World — Fri, 07 Jun 2024 13:35:42 GMT

So the command is send aaa to authz it or not

It not issue of priv it missing or misconfig command of

Aaa authz config

Let me check before answer

But you can help to make sure that this is issue by run debug aaa authorization

Thanks

MHM

Re: Reducing the required Privilege Level to write to memory

JXGulotta — Fri, 07 Jun 2024 13:44:06 GMT

Here's the output for the debug command:

Switch#debug aaa authorization
AAA Authorization debugging is on
Switch#

No other output and nothing in the logs.

Re: Reducing the required Privilege Level to write to memory

JXGulotta — Fri, 07 Jun 2024 14:15:57 GMT

My other thought is every other command change in the priv list functions when it did not prior to it being added, which would also not work if it were a AAA authz misconfig, correct?

Re: Reducing the required Privilege Level to write to memory

MHM Cisco World — Fri, 07 Jun 2024 14:22:45 GMT

Correct any command you enter will return error

MHM

Re: Reducing the required Privilege Level to write to memory

JXGulotta — Fri, 07 Jun 2024 14:32:33 GMT

So since the other commands function properly, is there a different set of permissions with regards to the start config?

Re: Reducing the required Privilege Level to write to memory

JXGulotta — Mon, 17 Jun 2024 17:18:02 GMT

I just wanted to follow up on this and see if you any other ideas. I haven't been able to find anything.

Re: Reducing the required Privilege Level to write to memory

JXGulotta — Tue, 16 Jul 2024 17:20:10 GMT

Figured out a solution. Posting here to share with others. The line that was missing was:

file privilege 14

This command lowers the privilege level required to access the file system to 14. Here's hoping someone else in the future finds this useful.

Re: Reducing the required Privilege Level to write to memory

Tiffany York — Thu, 08 Aug 2024 01:37:15 GMT

THANK YOU! This is exactly what I needed.

Re: Reducing the required Privilege Level to write to memory

JXGulotta — Thu, 08 Aug 2024 12:31:59 GMT

Happy to help!