cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1807
Views
3
Helpful
5
Replies

Difference between authorization command 15 and 1

Hi,
"aaa authorization commands 15 default group tacacs+ local if-authenticated"
1)Does above command authorize only level 15 users?
2)Or does it authorize all level users 0-15(inclusive)?
3)Or does it authorize only 2-15 levels (inclusive)?
Im a bit confused with this command becase on routerfreak website , above command is configured along with "aaa authorization commands 15 default group tacacs+ local if-authenticated" as a best practice.
This makes me think that may be command "aaa authorization commands 15 default group tacacs+ local if-authenticated" auhtorizes ONLY 2-15 level users and best practice also would be to authorize User Exec Mode as well which is level 1
Please shed a light on this.

AAA Best practice example: https://www.routerfreak.com/aaa-best-practices/comment-page-1/?unapproved=90953&moderation-hash=2342e87aa47d14b2dcf0af36ed7b3272#comment-90953

Thanks

1 Accepted Solution

Accepted Solutions

2)Or does it authorize all level users 0-15(inclusive)? NO 
3)Or does it authorize only 2-15 levels (inclusive)? Yes this correct 
that why you see 
aaa  authz command 1 <<- protect when you go from user0 to level 1
aaa authz command 15  <<- protect when you go from user0 to level 2-15

View solution in original post

5 Replies 5

2)Or does it authorize all level users 0-15(inclusive)? NO 
3)Or does it authorize only 2-15 levels (inclusive)? Yes this correct 
that why you see 
aaa  authz command 1 <<- protect when you go from user0 to level 1
aaa authz command 15  <<- protect when you go from user0 to level 2-15

Note :-
you can check the command effect by 
enable 1 <<- try this 
enable 2-15<<- try this

Hello,

  This is from Cisco site:

"

Privilege Levels

By default, there are three command levels on the router:

  • privilege level 0—Includes the disable, enable, exit, help, and logout commands

  • privilege level 1—Includes all user-level commands at the router> prompt

  • privilege level 15—Includes all enable-level commands at the router> prompt"

And my conclusion for your query is that, if you use 15, it means all the previous level included  For example, if you give someone root privilege, and someone else admin privilege and to another person view-only privilege, the guy with root privilege have all the previous guy privilege included.

 And an interesting explanation about if-authenticated can be found here in the blog in another thread:

https://community.cisco.com/t5/network-access-control/if-authenticated/td-p/1248124 

 

Thanks everyone for the response.

@Flavio Miranda Why here is > ,  should not it be # ??
"privilege level 15—Includes all enable-level commands at the router> prompt"

Arne Bier
VIP
VIP

If the customer has TACACS+, then I tend to give all users Priv15, and based on their Role (SuperAdmin, Change Admin, ReadOnly) perform command authorization. The reason I use priv 15, is because a simple task like "show running-config" is not possible at any other level. Unless I am doing something wrong. Seems that showing the running config is considered a highly privileged thing (which it might be) - but if you have a junior engineer who needs to see the config (and make no changes) then you have to give them priv15 and limit the commands they can access. TACACS+ saves the day for me!