AAA, Prvileged Level, Role-Based views

radumihai — Tue, 17 Mar 2020 21:44:01 GMT

Hi,

I'm learning about AAA, and i have a hard to correlate with what i have learned at Privileg Level and Role-Based Views . All i can test is in Packet Tracer

Let's take a scenario and assume I will use privilege levels 5, 10 and 15 on my router for 3 employes. We will call them user5, user10, user15 and all of them will have the password "userXpw" where X is the level. I configured the privilege levels ( what can every level do ).

How do i configur local AAA Authentication ? It will be something like this ? :

en
conf t

username user5 privilege 5 password user5pw
username user10 privilege 10 password user01pw
username user15 privilege 15 password user15pw

aaa new-model
aaa authentication login default local

line vty 0 15
login authentication default

But if i do this every time i log in into the router, i got at prvilege level 1, dosen't matter what user i use, what am i missing ?

Why when i log with a user that has level 10 i get at level 1 ? I expect to be at privilege level 5 ,10 ,15, depending on what user i use. Also, what effect in this case will have the command (config-line)#privilege level X

Now let's assume the same scenario, but i want server-based AAA. How do i config the router ? Some thing like this ?

en
conf t

aaa new-model
radius-server host 192.168.0.5 auth-port 1812
radius-server key aaasecret

aaa authentication login default group radius enable

line vty 0 15
login authentication default

But now when i configure the RADIUS server i dont specify a privilege levels. And when i log in into the router, i get at privilege level 1, again. So again, what am i missing ?

Should i make enable passwords for every level and when people log in with their user they would be at level 1 and after that they use "enable X" command ?

That was on privileged level. Now with Role-Based views. Let's assume i configured 3 views for 3 employes : view1, view2, view3

For local base AAA it will be something like this ?

en
conf t
aaa new-model
exit
enable root
conf t

Commands//VIEW Configuration

username user1 password user1
username user2 password user2
username user3 password user3

line vty 0 15
login local
privilege level 1 // (or 0 maybe ? )

Now kinda makes sense that you log in the router with your credentials and then you log into your view with "enable view X" where X is the name of the view.

And with server-based AAA it will be the same. I would configure 3 users and after they log in into the router, they would log in into the view.

Am I right, am I missing something ?

When i configured the list for authentication, i can configure fallbacks option. For exemple

aaa authentication login LIST-FOR-SSH group radius local

If the radius server is unreacheable, i can log in with a local user. But when i get at login , how do i know that it asks me for the credentials from the radius server or from local date base ? Do i just try the second one if the first doesn't work ?

With AAA, I see i can configure a authentication list for the enable:

(config)aaa authentication enable default ____ { group / enable / none }

What is the purpouse, how would that look in a plausible scenario, how would i use it ?

Thank you for your time reading this and trying to help me,

Radu

Re: AAA, Prvileged Level, Role-Based views

Francesco Molino — Fri, 20 Mar 2020 03:08:02 GMT

Hi

For your login using privileges you can add the command aaa authorization exec default local.
It will bring the user directly to the right enable mode with its privilege.
For views, i don't see your views config. Anyways, here is link that explains it well: https://www.networkworld.com/article/2229853/easy-role-based-access-on-cisco-routers-cli-views.html
And you're right, you need to login into your view to access what you're granted to have.
The aaa authentication enable is required if you want people to still type in an enable password to access the device. This enable can be checked using the local enable password or checking it into tacacs for example

topic Re: AAA, Prvileged Level, Role-Based views in Network Security

AAA, Prvileged Level, Role-Based views

Re: AAA, Prvileged Level, Role-Based views