cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
775
Views
1
Helpful
3
Replies

command authorization using local user database

morbfrhtc
Beginner
Beginner

Pls, does anybody know how to configure exec and privilege level command authorization based on local user database.

I tried that, but I haven't done it yet.

pls., write me a short step-by-step procedure.

Here is commands which I have configured. Something still missing I thing. Am I right?

username admin privilege 15 password 0 adm

username limited privilege 5 password 0 lim

aaa new-model

aaa authentication login default local

aaa authorization config-commands

aaa authorization exec default local

aaa authorization commands 5 default local

aaa authorization commands 15 default local

privilege exec level 5 sh ver

privilege exec level 5 sh ip int

privilege exec level 5 sh ip int brief

And finally, I am still able to do "en"(enable) command in exec mode - for example

thx a lot

3 Replies 3

abhishek_nandavat
Participant
Participant

Hi,

I think if you are using aaa for authentication, then you need to give the following command for specifying the privilege level:-

"privilege aaa-user level number keywords"

instead of what you have mentioned.

So your configuration should be like:-

privilege aaa-user level 5 sh ver

privilege aaa-user level 5 sh ip int

privilege aaa-user level 5 sh ip int brief

Hope this helps.

Regards,

AbhisheK

Please rate all posts!!!

Anand Narayana
Frequent Contributor
Frequent Contributor

Hi Morb,

try the below said.it will satisfy ur needs.

username admin privilege 15 password

username user privileage 5 password

privilege exec level 15 configure terminal

privilege exec level 5 show

!

line vty 0 4

password

login local

hope this helps.

rate this post.

akorsvoll
Beginner
Beginner

Hi,

The commands "privilege exec level" does only change the privilege-level for that command, it doesn't say what's allowed and deny the rest of commands.

The command "privilege exec level 5 sh ip int bri" will also include the commands of which this is a subset.

privilege exec level 5 sh ip int

privilege exec level 5 sh ip

etc unless otherwise is specified.

The enable-command is default allowed in level 0. If you set "privilege exec level 10 enable" then user "limited" will no longer be able to enable a higher privilege-level.

Regards,

Anders

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: