I'm learning about AAA, and i have a hard to correlate with what i have learned at Privileg Level and Role-Based Views . All i can test is in Packet Tracer
1)
Let's take a scenario and assume I will use privilege levels 5, 10 and 15 on my router for 3 employes. We will call them user5, user10, user15 and all of them will have the password "userXpw" where X is the level. I configured the privilege levels ( what can every level do ).
How do i configur local AAA Authentication ? It will be something like this ? :
aaa new-model aaa authentication login default local
line vty 0 15 login authentication default
But if i do this every time i log in into the router, i got at prvilege level 1, dosen't matter what user i use, what am i missing ?
Why when i log with a user that has level 10 i get at level 1 ? I expect to be at privilege level 5 ,10 ,15, depending on what user i use. Also, what effect in this case will have the command (config-line)#privilege level X
Now let's assume the same scenario, but i want server-based AAA. How do i config the router ? Some thing like this ?
aaa authentication login default group radius enable
line vty 0 15 login authentication default
But now when i configure the RADIUS server i dont specify a privilege levels. And when i log in into the router, i get at privilege level 1, again. So again, what am i missing ?
Should i make enable passwords for every level and when people log in with their user they would be at level 1 and after that they use "enable X" command ?
That was on privileged level. Now with Role-Based views. Let's assume i configured 3 views for 3 employes : view1, view2, view3
For local base AAA it will be something like this ?
line vty 0 15 login local privilege level 1 // (or 0 maybe ? )
Now kinda makes sense that you log in the router with your credentials and then you log into your view with "enable view X" where X is the name of the view.
And with server-based AAA it will be the same. I would configure 3 users and after they log in into the router, they would log in into the view.
Am I right, am I missing something ?
2)
When i configured the list for authentication, i can configure fallbacks option. For exemple
aaa authentication login LIST-FOR-SSH group radius local
If the radius server is unreacheable, i can log in with a local user. But when i get at login , how do i know that it asks me for the credentials from the radius server or from local date base ? Do i just try the second one if the first doesn't work ?
3)
With AAA, I see i can configure a authentication list for the enable:
For your login using privileges you can add the command aaa authorization exec default local. It will bring the user directly to the right enable mode with its privilege. For views, i don't see your views config. Anyways, here is link that explains it well: https://www.networkworld.com/article/2229853/easy-role-based-access-on-cisco-routers-cli-views.html And you're right, you need to login into your view to access what you're granted to have. The aaa authentication enable is required if you want people to still type in an enable password to access the device. This enable can be checked using the local enable password or checking it into tacacs for example
Thanks Francesco PS: Please don't forget to rate and select as validated answer if this answered your question
Learn, share, save
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
