Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
539
Views
0
Helpful
2
Replies

command authorization using local user database

morbfrhtc
Beginner
Beginner

‎07-31-2006 11:37 PM - edited ‎03-10-2019 02:41 PM

Pls, does anybody know how to configure exec and privilege level command authorization based on local user database.

I tried that, but I haven't done it yet.

pls., write me a short step-by-step procedure.

Here is commands which I have configured. Something still missing I thing. Am I right?

username admin privilege 15 password 0 adm

username limited privilege 5 password 0 lim

aaa new-model

aaa authentication login default local

aaa authorization config-commands

aaa authorization exec default local

aaa authorization commands 5 default local

aaa authorization commands 15 default local

privilege exec level 5 sh ver

privilege exec level 5 sh ip int

privilege exec level 5 sh ip int brief

And finally, I am still able to do "en"(enable) command in exec mode - for example

thx a lot

Labels:
0 Helpful
2 Replies 2

gfullage
Cisco Employee
Cisco Employee

‎08-07-2006 09:44 PM

Keep in mind though that "en" is a level 1 command, it has to be, otherwise you'd never be able to get out of level 1 into another level, right?

You've only set up authorization for level 5 commands, but this will still allow the user to do any level 1 commands (like "en" or even "quit").

You could move the enable command up to a level higher than level 5. Given that when you login as "admin" you'll go straight to level 15 access this would be OK, make sure you never remove that user though otherwise you'll never be able to get into "en" mode cause you won't have any users with the right privilege level to run it.