Solved: aaa authorization commands levels

raghavendran.r · ‎02-05-2018

i was replacing faulty device and faced below issue.

before putting device into production configured via console

1 .configured : enable secret 5 <string>

2.configured : username <> secret 5 <string>

3 .router#line console

router#login local

then i configured aaa new model , after pasting all aaa command lines , i coundlt execute anything even show commands was not working...

some can help me to understand what went wrong .. i configured login local for console before configuring aaa , is that could be a issue ?

Richard Burts · ‎02-08-2018

I do not understand your response about what string you used. But if you were able to log out and then log in again using that ID then it indicates that the string was correct.

I am not sure why you got locked out from executing any commands. My guess is that it has something to do with the group cisco parameter in your commands. Ordinarily I would think that the parameter if-authenticated would prevent the lock out. But for some reason it did not. When you got locked out did you try to logout and then log back in? Perhaps it needed a new authentication after the configuration was done.

Getting locked out is one of the things to be cautious about when configuring aaa. I have a few observations about that:

1) First is to not copy run start until you have thoroughly tested the config changes. As you demonstrated a simple reboot/power cycle is the easy way to recover from a problem if the changes have not been saved.

2) When configuring aaa I frequently use the capability to schedule a reload using the command reload in X (guess at how long it will take to make the changes and add little margin). With the scheduled reload if your changes do lock you out then the scheduled reload will reboot and discard the changes. If the changes do not cause any problem then you simply cancel the scheduled reload. This is especially useful if you are configuring a device that is not local.

3) I would suggest not turning on authorization for the console until your changes are made and tested. By default aaa authorization works on vty connections (telnet or SSH) but not on console. So you can make changes, then test them using telnet or SSH, and if there is a problem then the console session should still work and allow you to fix the problem without requiring a reload/reboot.

aaa authorization console

Once the authorization commands have been tested then you can enable authorization for the console.

HTH

Rick

HTH

Rick

View solution in original post

Seb Rupik · ‎02-05-2018

Hi there,

The aaa commands that you pasted in, was one of the aaa authorization default xxx?

If you changed that to anything but local, then you would have immediately affected the vty line you were logged in on.

I always have these in the aaa commands I paste in:

!
aaa authentication login default local
aaa authorization exec default local
aaa authorization commands 15 default local
!

cheers,

Seb.

raghavendran.r · ‎02-05-2018

Hi Rupik,

Thanks for responding

aaa authentication login default group cisco local

aaa authentication enable default group cisco enable

aaa authorization console

aaa authorization config-commands

aaa authorization exec default group cisco if-authenticated

aaa authorization commands 0 default group cisco if-authenticated

aaa authorization commands 1 default group cisco if-authenticated

aaa authorization commands 15 default group cisco if-authenticated

aaa accounting update newinfo periodic 15

aaa accounting exec default start-stop group cisco

aaa accounting commands 15 default start-stop group cisco

aaa accounting system default start-stop group cisco

i was pasted above lines , and was into console... because router not in production

Richard Burts · ‎02-07-2018

The original post emphasizes that login local was configured. Once you have entered aaa new-model then that over rides login local. If you are configuring aaa authentication to use local resources then it winds up with the same effect, but login local is no longer controlling the login process.

You indicate that you have done these

1 .configured : enable secret 5 <string>

2.configured : username <> secret 5 <string>

was the string that you used the encrypted value of the password or was the string that you used the clear text password?

HTH

Rick

HTH

Rick

raghavendran.r · ‎02-08-2018

Hi ..

I have used string

Richard Burts · ‎02-08-2018

I do not understand your response about what string you used. But if you were able to log out and then log in again using that ID then it indicates that the string was correct.

I am not sure why you got locked out from executing any commands. My guess is that it has something to do with the group cisco parameter in your commands. Ordinarily I would think that the parameter if-authenticated would prevent the lock out. But for some reason it did not. When you got locked out did you try to logout and then log back in? Perhaps it needed a new authentication after the configuration was done.

Getting locked out is one of the things to be cautious about when configuring aaa. I have a few observations about that:

1) First is to not copy run start until you have thoroughly tested the config changes. As you demonstrated a simple reboot/power cycle is the easy way to recover from a problem if the changes have not been saved.

2) When configuring aaa I frequently use the capability to schedule a reload using the command reload in X (guess at how long it will take to make the changes and add little margin). With the scheduled reload if your changes do lock you out then the scheduled reload will reboot and discard the changes. If the changes do not cause any problem then you simply cancel the scheduled reload. This is especially useful if you are configuring a device that is not local.

3) I would suggest not turning on authorization for the console until your changes are made and tested. By default aaa authorization works on vty connections (telnet or SSH) but not on console. So you can make changes, then test them using telnet or SSH, and if there is a problem then the console session should still work and allow you to fix the problem without requiring a reload/reboot.

aaa authorization console

Once the authorization commands have been tested then you can enable authorization for the console.

HTH

Rick

HTH

Rick

raghavendran.r · ‎02-08-2018

Hi Burt ,

Thank you very much for your time and detailed explanation.

its really useful ..I will follow up the same when ever I do aaa configuration for prod devices.

Richard Burts · ‎02-08-2018

You are welcome. I am glad that my explanations were helpful. Thank you for marking this question as solved. This will help other readers in the forum to identify discussions which have helpful information.

I hope to see you continue to be active in the forum.

HTH

Rick

HTH

Rick

raghavendran.r · ‎02-08-2018

Hi Richard ,

as mentioned in original post ,I have configured login local to console line ... then I came out of device to check console access password and username , following that it was asking and I logged into device with that console seession I was configuring aaa , after some aaa config lines ,, device not excepting any command line then I restarted router , NOte : I didn't write anything to startup , I made easy to clean up the aaa

raghavendran.r · ‎02-08-2018

what is the correct way to apply aaa on device without locking out ourself.

Thanks in advance