cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
591
Views
8
Helpful
4
Replies

local authorization

Antonio_1_2
Level 1
Level 1

Hi,

Is it possible to make authorization using local database (not tacacs or radius)?

I have username admin that has to have access to configuration on router. I also have usename and passwords for IPsec users, but they shouldn't have access to configuration. But both (if they know enable secret) can enter privilege level.

Here is the config output,:

aaa new-model

!

!

aaa authentication login USAUTH local

aaa authorization console

aaa authorization exec USAUTH local

aaa authorization commands 0 USAUTH local

aaa authorization commands 15 USAUTH local

!

username admin privilege 15 password 7 044D0E0D06

username user1 privilege 0 password 7 121013161C

username user2 privilege 0 password 7 121B0A051D

!

line con 0

authorization commands 0 USAUTH

authorization commands 15 USAUTH

authorization exec USAUTH

login authentication USAUTH

4 Replies 4

ethiel
Level 3
Level 3

Your config looks appropriate to accomplish what you are trying to. I use this (usually as backup for TACACS), and it works great. Have you tried your config and had issues? The only difference from my working configs is I do not have aaa authoriz commands 0 and 15 in my config.

One side note, if it's a recent IOS I suggest using secret instead of password for your local users. That will prevent the password from being reversed if someone gets your config. For example:

username admin priv 15 secret mypassword

Hope this helps.

Hi,

Yes I tried that config and it doesn't work. It works with tacacs, but with local authentication/authorization all users regardless of privilege level, can enter privilege mod (enable) if they now appropriate enable secret.

Is there a way that I can acomplish this with local authorization: when user1 tries to enter enable mod, he will be rejected because whe has prevelege level 0.

Thanks,

Vedran

Hi,

hope I clear understand your need. User logging in different privilege level then 15 should use such way of enable command:

enable [privilege-level] [view [view-name]]

So for priv.level 0 use command "enable 0"

Hope it will help you.

Michal

Hi,

I forgot to announce that you should also define permitted commands set for appropriate privilege level using commands privilege or privilege level. Link to reference guide is provided below:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124tcr/tsec_r/sec_p1ht.htm#wp1215217

Nice day.

Michal