04-29-2023 02:14 AM
Hi,
"aaa authorization commands 15 default group tacacs+ local if-authenticated"
1)Does above command authorize only level 15 users?
2)Or does it authorize all level users 0-15(inclusive)?
3)Or does it authorize only 2-15 levels (inclusive)?
Im a bit confused with this command becase on routerfreak website , above command is configured along with "aaa authorization commands 15 default group tacacs+ local if-authenticated" as a best practice.
This makes me think that may be command "aaa authorization commands 15 default group tacacs+ local if-authenticated" auhtorizes ONLY 2-15 level users and best practice also would be to authorize User Exec Mode as well which is level 1
Please shed a light on this.
AAA Best practice example: https://www.routerfreak.com/aaa-best-practices/comment-page-1/?unapproved=90953&moderation-hash=2342e87aa47d14b2dcf0af36ed7b3272#comment-90953
Thanks
Solved! Go to Solution.
04-29-2023 03:19 AM - edited 04-29-2023 03:19 AM
2)Or does it authorize all level users 0-15(inclusive)? NO
3)Or does it authorize only 2-15 levels (inclusive)? Yes this correct
that why you see
aaa authz command 1 <<- protect when you go from user0 to level 1
aaa authz command 15 <<- protect when you go from user0 to level 2-15
04-29-2023 03:19 AM - edited 04-29-2023 03:19 AM
2)Or does it authorize all level users 0-15(inclusive)? NO
3)Or does it authorize only 2-15 levels (inclusive)? Yes this correct
that why you see
aaa authz command 1 <<- protect when you go from user0 to level 1
aaa authz command 15 <<- protect when you go from user0 to level 2-15
04-29-2023 03:28 AM - edited 04-29-2023 03:28 AM
Note :-
you can check the command effect by
enable 1 <<- try this
enable 2-15<<- try this
04-29-2023 03:24 AM
Hello,
This is from Cisco site:
"
By default, there are three command levels on the router:
privilege level 0—Includes the disable, enable, exit, help, and logout commands
privilege level 1—Includes all user-level commands at the router> prompt
privilege level 15—Includes all enable-level commands at the router> prompt"
And my conclusion for your query is that, if you use 15, it means all the previous level included For example, if you give someone root privilege, and someone else admin privilege and to another person view-only privilege, the guy with root privilege have all the previous guy privilege included.
And an interesting explanation about if-authenticated can be found here in the blog in another thread:
https://community.cisco.com/t5/network-access-control/if-authenticated/td-p/1248124
04-29-2023 08:08 AM
Thanks everyone for the response.
@Flavio Miranda Why here is > , should not it be # ??
"privilege level 15—Includes all enable-level commands at the router> prompt"
05-04-2023 01:33 PM
If the customer has TACACS+, then I tend to give all users Priv15, and based on their Role (SuperAdmin, Change Admin, ReadOnly) perform command authorization. The reason I use priv 15, is because a simple task like "show running-config" is not possible at any other level. Unless I am doing something wrong. Seems that showing the running config is considered a highly privileged thing (which it might be) - but if you have a junior engineer who needs to see the config (and make no changes) then you have to give them priv15 and limit the commands they can access. TACACS+ saves the day for me!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide