Vary SSH login based on local user database privilege levels

djthomas4071 · ‎04-16-2016

Members,

I am working on a Packet Tracer lab and have the following snags:

Q1:

I have been asked to provide a mechanism to vary the IOS command mode granted for an SSH connection for a user, based on the default local aaa database privilege settings. E.g. a user with privilege 15 with default to Privileged EXEC mode whereas a user with privilege 0 will default to User EXEC mode.

I have the following configured:

aaa new-model

aaa authentication login default local enable

aaa authorization exec default local

username someadmin privilege 15 secret ***************************

username someuser secret ****************************

line vty 0 4

login authentication default

transport input ssh

When I SSH in to the router with either user account, the ssh terminal opens in User EXEC mode. I have no idea why this is happening.

Q2:

I have been asked to explicitly set case sensitive login settings for the SSH connection on the VTY lines. I understand "local-case" to be the required setting but cannot find where to specify the command, despite a lot of reading on the internet. Interestingly, when I attempt to login with deliberately wrong case in the username, the connection is refused.

Is this a red-herring / a thing of the past, that has made it's way into the lab?

Much appreciated,

D

Philip D'Ath · ‎04-17-2016

Q1. This looks correct to me. You should not need the command "login authentication default" under the line configuration. AAA will do this anyway.

Q2. Never tried it myself, but use "aaa authentication login default local-case enable ".