Solved: Re: Difference between authorization command 15 and 1

karenmelkonyanstu · ‎04-29-2023

Hi,
"aaa authorization commands 15 default group tacacs+ local if-authenticated"
1)Does above command authorize only level 15 users?
2)Or does it authorize all level users 0-15(inclusive)?
3)Or does it authorize only 2-15 levels (inclusive)?
Im a bit confused with this command becase on routerfreak website , above command is configured along with "aaa authorization commands 15 default group tacacs+ local if-authenticated" as a best practice.
This makes me think that may be command "aaa authorization commands 15 default group tacacs+ local if-authenticated" auhtorizes ONLY 2-15 level users and best practice also would be to authorize User Exec Mode as well which is level 1
Please shed a light on this.

AAA Best practice example: https://www.routerfreak.com/aaa-best-practices/comment-page-1/?unapproved=90953&moderation-hash=2342e87aa47d14b2dcf0af36ed7b3272#comment-90953

Thanks

MHM Cisco World · ‎04-29-2023

2)Or does it authorize all level users 0-15(inclusive)? NO
3)Or does it authorize only 2-15 levels (inclusive)? Yes this correct
that why you see
aaa authz command 1 <<- protect when you go from user0 to level 1
aaa authz command 15 <<- protect when you go from user0 to level 2-15

View solution in original post

MHM Cisco World · ‎04-29-2023

2)Or does it authorize all level users 0-15(inclusive)? NO
3)Or does it authorize only 2-15 levels (inclusive)? Yes this correct
that why you see
aaa authz command 1 <<- protect when you go from user0 to level 1
aaa authz command 15 <<- protect when you go from user0 to level 2-15

MHM Cisco World · ‎04-29-2023

Note :-
you can check the command effect by
enable 1 <<- try this
enable 2-15<<- try this

Flavio Miranda · ‎04-29-2023

Hello,

This is from Cisco site:

"

Privilege Levels

By default, there are three command levels on the router:

privilege level 0—Includes the disable, enable, exit, help, and logout commands
privilege level 1—Includes all user-level commands at the router> prompt
privilege level 15—Includes all enable-level commands at the router> prompt"

And my conclusion for your query is that, if you use 15, it means all the previous level included For example, if you give someone root privilege, and someone else admin privilege and to another person view-only privilege, the guy with root privilege have all the previous guy privilege included.

And an interesting explanation about if-authenticated can be found here in the blog in another thread:

https://community.cisco.com/t5/network-access-control/if-authenticated/td-p/1248124

karenmelkonyanstu · ‎04-29-2023

Thanks everyone for the response.

@Flavio Miranda Why here is > , should not it be # ??
"privilege level 15—Includes all enable-level commands at the router> prompt"

Arne Bier · ‎05-04-2023

If the customer has TACACS+, then I tend to give all users Priv15, and based on their Role (SuperAdmin, Change Admin, ReadOnly) perform command authorization. The reason I use priv 15, is because a simple task like "show running-config" is not possible at any other level. Unless I am doing something wrong. Seems that showing the running config is considered a highly privileged thing (which it might be) - but if you have a junior engineer who needs to see the config (and make no changes) then you have to give them priv15 and limit the commands they can access. TACACS+ saves the day for me!