Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
920
Views
1
Helpful
3
Replies

command authorization using local user database

morbfrhtc
Level 1
Level 1

‎08-07-2006 03:53 AM - edited ‎03-03-2019 04:23 AM

Pls, does anybody know how to configure exec and privilege level command authorization based on local user database.

I tried that, but I haven't done it yet.

pls., write me a short step-by-step procedure.

Here is commands which I have configured. Something still missing I thing. Am I right?

username admin privilege 15 password 0 adm

username limited privilege 5 password 0 lim

aaa new-model

aaa authentication login default local

aaa authorization config-commands

aaa authorization exec default local

aaa authorization commands 5 default local

aaa authorization commands 15 default local

privilege exec level 5 sh ver

privilege exec level 5 sh ip int

privilege exec level 5 sh ip int brief

And finally, I am still able to do "en"(enable) command in exec mode - for example

thx a lot

Labels:
0 Helpful
3 Replies 3

abhishek_nandavat
Level 3
Level 3

‎08-07-2006 04:56 AM

Hi,

I think if you are using aaa for authentication, then you need to give the following command for specifying the privilege level:-

"privilege aaa-user level number keywords"

instead of what you have mentioned.

So your configuration should be like:-

privilege aaa-user level 5 sh ver

privilege aaa-user level 5 sh ip int

privilege aaa-user level 5 sh ip int brief

Hope this helps.

Regards,

AbhisheK

Please rate all posts!!!

Anand Narayana
Level 6
Level 6

‎08-07-2006 05:15 AM

Hi Morb,

try the below said.it will satisfy ur needs.

username admin privilege 15 password

username user privileage 5 password

privilege exec level 15 configure terminal

privilege exec level 5 show

!

line vty 0 4

password

login local

hope this helps.

rate this post.

0 Helpful

akorsvoll
Level 1
Level 1

‎08-07-2006 06:33 AM

Hi,

The commands "privilege exec level" does only change the privilege-level for that command, it doesn't say what's allowed and deny the rest of commands.

The command "privilege exec level 5 sh ip int bri" will also include the commands of which this is a subset.

privilege exec level 5 sh ip int

privilege exec level 5 sh ip

etc unless otherwise is specified.

The enable-command is default allowed in level 0. If you set "privilege exec level 10 enable" then user "limited" will no longer be able to enable a higher privilege-level.

Regards,

Anders

0 Helpful
Customers Also Viewed These Support Documents