Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
654
Views
0
Helpful
5
Replies

AAA Local Authorization....

darrenj
Level 1
Level 1

‎05-25-2006 01:11 AM - edited ‎03-10-2019 02:36 PM

Hello all. Hopefully, this will prove to be an easy question with a simple answer!

I want to configure local username/passwords on my router, with different privilege levels. For example username admin is only allowed to access privilege level 1 commands, and username engineer is allowed to enter all comands (level 15). However, when I test this via console or telnet, both go into user mode to start with (Router>) and I can enter enable mode on both username logins by entering the enable password (Router#). Therefore, both username's have the same access rights (to all commands) even though they have different privilege levels. I thought the privilege level 1 account would not be allowed to issue level15 commands?

Can anyone point me in the right direction.....

!

aaa new-model

aaa authentication login default local

aaa authorization commands 1 default local

aaa authorization commands 15 default local

enable secret test

!

username admin privilege 1 password cisco1

username engineer privilege 15 password cisco2

!

Thanks.

Labels:
0 Helpful
5 Replies 5

Richard Burts
Hall of Fame
Hall of Fame

‎05-25-2006 07:53 AM

Darren

It seems to me that there is a fairly simple solution to your situation: do not give the enable password to users who should be restricted to level 1 commands.

No matter what privilege level they start at, anyone who can enter the correct enable password (or enable secret) will gain level 15 access.

HTH

Rick

HTH

Rick
0 Helpful

darrenj
Level 1
Level 1
In response to Richard Burts

‎05-25-2006 08:03 AM

Thanks Rick for the response. Like you say, there is a simple solution, but it makes me wonder why would you want to configure a privilege level if it doesn't have any effect?

Or does it have its uses elsewhere.....

0 Helpful

evictor
Level 1
Level 1
In response to darrenj

‎06-21-2006 01:57 PM

Just typing enable defaults to enable 15

Careful look at the following commands should answer your question

Router6>enable ?

<0-15> Enable level

Router6(config)#enable password ?

0 Specifies an UNENCRYPTED password will follow

7 Specifies a HIDDEN password will follow

LINE The UNENCRYPTED (cleartext) 'enable' password

level Set exec level password

Router6(config)#enable password le

Router6(config)#enable password level ?

<1-15> Level number

Victor

0 Helpful

davidkeedy
Level 1
Level 1
In response to evictor

‎07-06-2006 10:56 AM

Is your ACS server configured with advanced tacacs+ settings? If so, under user setup, you can select "No enable privilege". They will not be allowed to enter enable mode even if they enter the correct password. With regard to local usernames and passwords, it only states what level they can start at. If they know the enable password, then they can get to enable mode.

0 Helpful

viveksantuka
Level 1
Level 1

‎07-07-2006 01:32 AM

Darren,

The privilege levels are used when you do not want to give full level 15 access to someone but only some commands.

For example you may want a tech. to be able to change the bandwidth of an interface and nothing else. So we reduce the privilege level of the interface bandwidth command to say 10 and give the tech level 10 access.

0 Helpful
Customers Also Viewed These Support Documents