Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
956
Views
0
Helpful
2
Replies

AAA previlege levels

nagabhushana.k
Level 1
Level 1

‎12-30-2010 04:28 AM - edited ‎03-10-2019 05:40 PM

Hi All,

I am trying to understand AAA concept and its use along with CSACS using TACACS+ protocol.

As far as I understand, by default there are 3 different privilege levels available (Ref: http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a008009465c.shtml)

    *    privilege level 1 = non-privileged (prompt is router>), the default level for logging in

    *    privilege level 15 = privileged (prompt is router#), the level after going into enable mode

    *    privilege level 0 = seldom used, but includes 5 commands: disable, enable, exit, help, and logout

According to the above URL, it is possible to change the default privilege level of any command and can be either decreased or increased to any privilege level between 2 to 14. Till this point, I understood it fine.

In a scenario where several administrators used to maintain Routers, I would like to grant different administrators with different level of privileges, so that they are allowed to execute only certain commands of that particular privilege level. It is prefered to use CSACS appliance for AAA authorization.

As I understand it is possible to grant administrators different privilege levels using CSACS by configuring shell privilege levels.

After an administrator is successfully authenticated, corresponding privilege level access is granted. Since by default privilege levels 2-14 doesnot contain any commands (hope I got it right!!!), even though the administrator is granted access to a privilege level between 2-14, he would not be able to execute any command unless a command is added to particular privilege level (either by decreasing or increasing from default privilege level).

I hope above descriptions are right, if not, please help me to understand this concept. It would be a great help if any one can redirect to a useful URL with detailed explanation about this topic.

Thank you,

Nagabhushan

Labels:
0 Helpful
2 Replies 2

Federico Ziliotto
Cisco Employee
Cisco Employee

‎12-30-2010 06:17 AM

Hi Nagabhushan,

What you described should be the correct behavior, except for one detail.
If the user's privilege level is lower than the privilege level of the command, the user is not allowed to issue the command.
This also means that, if a command is on privilege level 1, and you login with a user on privilege level 2, this user is still able to issue that command.

To be allowed, a command does not necessarily be on the same privilege level of the user.
It should be enough for the user to be on a privilege level higher or equeal than the privilege level where the command was placed.

Instead of playing with privilege levels, some more granular filtering for command authorization could also be performed through command sets defined on ACS:
http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml

Regards,

Fede

--
If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

0 Helpful

nagabhushana.k
Level 1
Level 1
In response to Federico Ziliotto

‎01-03-2011 01:51 AM

Hi Fede,

Thank you for your time.

The reply was very helpful. I need to read the document in URL yet. So, I will post a reply again after that.

Once again thank you for your help.

Regards,

Nagabhushan

0 Helpful
Customers Also Viewed These Support Documents