Re: command authorization using local user database

morbfrhtc · ‎07-31-2006

Pls, does anybody know how to configure exec and privilege level command authorization based on local user database.

I tried that, but I haven't done it yet.

pls., write me a short step-by-step procedure.

Here is commands which I have configured. Something still missing I thing. Am I right?

username admin privilege 15 password 0 adm

username limited privilege 5 password 0 lim

aaa new-model

aaa authentication login default local

aaa authorization config-commands

aaa authorization exec default local

aaa authorization commands 5 default local

aaa authorization commands 15 default local

privilege exec level 5 sh ver

privilege exec level 5 sh ip int

privilege exec level 5 sh ip int brief

And finally, I am still able to do "en"(enable) command in exec mode - for example

thx a lot

gfullage · ‎08-07-2006

Keep in mind though that "en" is a level 1 command, it has to be, otherwise you'd never be able to get out of level 1 into another level, right?

You've only set up authorization for level 5 commands, but this will still allow the user to do any level 1 commands (like "en" or even "quit").

You could move the enable command up to a level higher than level 5. Given that when you login as "admin" you'll go straight to level 15 access this would be OK, make sure you never remove that user though otherwise you'll never be able to get into "en" mode cause you won't have any users with the right privilege level to run it.

sebastan_bach · ‎08-10-2006

hi there since u are using local aaa. u have to specify the privilege levels and the commands the users are allowed to use. and since the level5 user is above level1 he will by default have access to all level 1 commands. to restrict the commands u can use a external acs. in which u can restrict each of the commands the user is trying to access. that will give u minute control.

regards

sebastan