top of page
THE FASCINATING WORLD OF NETWORKING

NOTE: Your e-mail will not be shown in the output. You can use an invalid e-mail, if you want.

Thank you for your co-operation in helping me to improve.

aaa new-model

aaa authentication login default local

aaa authorization commands 5 default local

¡Optional: To enter directly in privilege user level 5:

aaa authorization exec default local

!

username juantron privilege 5 secret juantron

! Best practice is to create an adminstrator account

username juanma privilege 15 secret juanma

! You don’t need use the following command if aaa authorization exec default local was configured

enable secret level 5 cisco

privilege exec level 5 ping

!

int fa0/0

ip address 192.168.2.1 255.255.255.0

no shutdown

 

Let’s test this solution:

R2# telnet 192.168.2.1

Trying 192.168.2.1 ... Open

User Access Verification

Username: juantron

Password: <juantron>

R1#sh privilege

Current privilege level is 5

R1#ping 192.168.2.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms

R1#conf t

      ^

% Invalid input detected at '^' marker.

Privilege Levels and AAA Authorization

 

In IOS, by default, Cisco does not perform authorization on the console. When you configure aaa authorization it is applied to vty but not to console. Basically this is to make it harder for you to lock yourself out of the router or switch. If you want authorization to be applied on the console then you must explicitly configure it (and be very carefull that it is configured correctly or you can wind up being locked out of the router - think especially of how it will work when you can not get to the external aaa server that is normally doing the authorization).

 

To test authorization on the console, you have to use the following command:

Router(config)#aaa authorization console

 

There are two options for assigning privilege levels to users, one involving AAA and one not.

Assigning privilege levels without AAA Authorization

Privilege levels define what commands a user can actually run on a router. There are three predefined privilege levels on Cisco routers: 0, 1 and 15:

privilege level 1 = non-privileged (prompt is switch>), the default level for logging in

privilege level 15 = privileged (prompt is switch#), the level after going into enable mode

privilege level 0 =  non-privileged; includes 5 commands: disable, enable, exit, help, and logout

When you're in user exec mode, you're actually in privilege level 1, as verified with show privilege:

 

R2>show privilege

Current privilege level is 1

There's a huge gap in network access between levels 1 and 15, and the remaining levels 2-14 can be configured to fill that gap. Levels 2 - 14 can be configured to allow a user assigned a particular privilege level to run some commands, but not all of them.

 

NOTE prompt is # from privilege level 2 to 14 .

 

Assume you have a user who should not be allowed to use the ping command, which by default can be run from privilege level 1:

R2>ping 172.1.1.1 (Success of the ping has been edited)

By moving the ping command to privilege level 5, a user must have at least that level of privilege in order to use ping. To change the privilege level of a command, use the privilege command.

R2(config)#privilege exec level 5 ping

R2(config)#enable secret level 5 cisco

A user must now have at least a privilege level of 5 to send a ping.

 

To test this:

R2#exit

R2>enable 5

Password:<cisco>

R2#sh privilege

Current privilege level is 5

R2#ping 1.1.1.1

% Unrecognized host or address, or protocol not running.

R2#conf t

      ^

% Invalid input detected at '^' marker.

 

Note It’s a Cisco Best Practise to create a user with privilege 15:

 

router(config)# username username privilege 15 {password secretpassword

router(config)#line console 0

router(config-line)#login local

router(config)#line vty 0 4

router(config-line)#login local

 

The user will be placed into privileged exec immediately after successfully authenticating. Here you don’t need specify the enable or secret password for access to privileged mode.

 

Note it’s also not necessary to define enable or secret password for telnet access.

If you do not want the console to prompt for a password then configure this: line con 0; no login (Cisco default).

Assigning privilege levels with AAA Authorization

To enable AAA Authorization to use privilege levels, use the aaa authorization command followed by the appropriate option.

 

The full command to use the TACACS+ server to assign privilege levels, followed by the local database, is as follows:

Router(config)# aaa authorization commands 5 default group tacacs+ local

 

Privilege levels can also be assigned via the router's local database. If you want to assign privilege levels on an individual user basis, configure usernames and passwords and use the privilege number command in the actual username/password command itself to give this privilege levels to some users but not all.

Example:

R2(config)# username juanma privilege 5 password juantron

That would assign a privilege level of 5 to that particular user.

 

Local AAA Authorization and GNS3 Example

bottom of page