Vary SSH login based on local user database privilege levels
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-16-2016 11:51 AM - edited 03-10-2019 11:40 PM
Members,
I am working on a Packet Tracer lab and have the following snags:
Q1:
I have been asked to provide a mechanism to vary the IOS command mode granted for an SSH connection for a user, based on the default local aaa database privilege settings. E.g. a user with privilege 15 with default to Privileged EXEC mode whereas a user with privilege 0 will default to User EXEC mode.
I have the following configured:
aaa new-model
aaa authentication login default local enable
aaa authorization exec default local
username someadmin privilege 15 secret ***************************
username someuser secret ****************************
line vty 0 4
login authentication default
transport input ssh
When I SSH in to the router with either user account, the ssh terminal opens in User EXEC mode. I have no idea why this is happening.
Q2:
I have been asked to explicitly set case sensitive login settings for the SSH connection on the VTY lines. I understand "local-case" to be the required setting but cannot find where to specify the command, despite a lot of reading on the internet. Interestingly, when I attempt to login with deliberately wrong case in the username, the connection is refused.
Is this a red-herring / a thing of the past, that has made it's way into the lab?
Much appreciated,
D
- Labels:
-
AAA
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-17-2016 01:40 PM
Q1. This looks correct to me. You should not need the command "login authentication default" under the line configuration. AAA will do this anyway.
Q2. Never tried it myself, but use "aaa authentication login default local-case enable ".
