Showing results for 
Search instead for 
Did you mean: 

command authorization using local user database


Pls, does anybody know how to configure exec and privilege level command authorization based on local user database.

I tried that, but I haven't done it yet.

pls., write me a short step-by-step procedure.

Here is commands which I have configured. Something still missing I thing. Am I right?

username admin privilege 15 password 0 adm

username limited privilege 5 password 0 lim

aaa new-model

aaa authentication login default local

aaa authorization config-commands

aaa authorization exec default local

aaa authorization commands 5 default local

aaa authorization commands 15 default local

privilege exec level 5 sh ver

privilege exec level 5 sh ip int

privilege exec level 5 sh ip int brief

And finally, I am still able to do "en"(enable) command in exec mode - for example

thx a lot

2 Replies 2

Cisco Employee
Cisco Employee

Keep in mind though that "en" is a level 1 command, it has to be, otherwise you'd never be able to get out of level 1 into another level, right?

You've only set up authorization for level 5 commands, but this will still allow the user to do any level 1 commands (like "en" or even "quit").

You could move the enable command up to a level higher than level 5. Given that when you login as "admin" you'll go straight to level 15 access this would be OK, make sure you never remove that user though otherwise you'll never be able to get into "en" mode cause you won't have any users with the right privilege level to run it.