Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
2922
Views
3
Helpful
5
Replies

Difference between authorization command 15 and 1

Go to solution
karenmelkonyanstu
Level 1
Level 1

‎04-29-2023 02:14 AM

Hi,
"aaa authorization commands 15 default group tacacs+ local if-authenticated"
1)Does above command authorize only level 15 users?
2)Or does it authorize all level users 0-15(inclusive)?
3)Or does it authorize only 2-15 levels (inclusive)?
Im a bit confused with this command becase on routerfreak website , above command is configured along with "aaa authorization commands 15 default group tacacs+ local if-authenticated" as a best practice.
This makes me think that may be command "aaa authorization commands 15 default group tacacs+ local if-authenticated" auhtorizes ONLY 2-15 level users and best practice also would be to authorize User Exec Mode as well which is level 1
Please shed a light on this.

AAA Best practice example: https://www.routerfreak.com/aaa-best-practices/comment-page-1/?unapproved=90953&moderation-hash=2342e87aa47d14b2dcf0af36ed7b3272#comment-90953

Thanks

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
MHM Cisco World
VIP
VIP

‎04-29-2023 03:19 AM - edited ‎04-29-2023 03:19 AM

2)Or does it authorize all level users 0-15(inclusive)? NO 
3)Or does it authorize only 2-15 levels (inclusive)? Yes this correct 
that why you see 
aaa  authz command 1 <<- protect when you go from user0 to level 1
aaa authz command 15  <<- protect when you go from user0 to level 2-15

View solution in original post

5 Replies 5

Go to solution
MHM Cisco World
VIP
VIP

‎04-29-2023 03:19 AM - edited ‎04-29-2023 03:19 AM

2)Or does it authorize all level users 0-15(inclusive)? NO 
3)Or does it authorize only 2-15 levels (inclusive)? Yes this correct 
that why you see 
aaa  authz command 1 <<- protect when you go from user0 to level 1
aaa authz command 15  <<- protect when you go from user0 to level 2-15

Go to solution
MHM Cisco World
VIP
VIP
In response to MHM Cisco World

‎04-29-2023 03:28 AM - edited ‎04-29-2023 03:28 AM

Note :-
you can check the command effect by 
enable 1 <<- try this 
enable 2-15<<- try this

Go to solution
Flavio Miranda
VIP
VIP

‎04-29-2023 03:24 AM

Hello,

  This is from Cisco site:

"

Privilege Levels

By default, there are three command levels on the router:

  • privilege level 0—Includes the disable, enable, exit, help, and logout commands

  • privilege level 1—Includes all user-level commands at the router> prompt

  • privilege level 15—Includes all enable-level commands at the router> prompt"

And my conclusion for your query is that, if you use 15, it means all the previous level included  For example, if you give someone root privilege, and someone else admin privilege and to another person view-only privilege, the guy with root privilege have all the previous guy privilege included.

 And an interesting explanation about if-authenticated can be found here in the blog in another thread:

https://community.cisco.com/t5/network-access-control/if-authenticated/td-p/1248124 

 

Go to solution
karenmelkonyanstu
Level 1
Level 1

‎04-29-2023 08:08 AM

Thanks everyone for the response.

@Flavio Miranda Why here is > ,  should not it be # ??
"privilege level 15—Includes all enable-level commands at the router> prompt"

0 Helpful

Go to solution
Arne Bier
VIP
VIP

‎05-04-2023 01:33 PM

If the customer has TACACS+, then I tend to give all users Priv15, and based on their Role (SuperAdmin, Change Admin, ReadOnly) perform command authorization. The reason I use priv 15, is because a simple task like "show running-config" is not possible at any other level. Unless I am doing something wrong. Seems that showing the running config is considered a highly privileged thing (which it might be) - but if you have a junior engineer who needs to see the config (and make no changes) then you have to give them priv15 and limit the commands they can access. TACACS+ saves the day for me!

0 Helpful
Top