RE: AAA vs. Non-AAA privileges

From: Gustavo Novais (gustavo.novais@novabase.pt)
Date: Wed Oct 12 2005 - 09:45:58 GMT-3

• Next message: dusth@comcast.net: "RE: DHCP vs irdp (interesting question)"
• Previous message: Luis Rueda: "RE: DHCP vs irdp (interesting question)"
• Maybe in reply to: Schulz, Dave: "AAA vs. Non-AAA privileges"
• Next in thread: Schulz, Dave: "RE: AAA vs. Non-AAA privileges"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi

Just one suggestion...
Authentication is access to the router (granted|denied).
Authorization is what you can do. Fits very well on what will be the
privilege level that a user may have.
Have you tried forcing the router at looking at authorizaton level?
You seem to be only looking at authentication...

aaa authorization CON exec local
line con 0
Authorization exec CON

Beware locking yourself out of the router!!

I don't have any router now for testing, but it seems to me that this
may be the answer you are seeking.

HTH
Gustavo

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Schulz, Dave
Sent: quarta-feira, 12 de Outubro de 2005 13:24
To: ccielab@groupstudy.com
Subject: AAA vs. Non-AAA privileges

This is an extension of further research on the privilege commands....
It appears that non-aaa commands work great and as expected with the
following. However, the aaa commands do not work with privileges the
way I would expect. Thanks, Ian for your insights. Here are the two
scenarios. Any thoughts on the aaa....bug? or, work as expected?

NON-AAA Configuration.....(access to console and vty recognizes
privileges)

!
hostname R2
!
username level15 privilege 15 password 0 level15 username level7
privilege 7 password 0 level7 !
!interface Serial0
 ip address 192.168.1.2 255.255.255.0
!
!
line con 0
 login local
line aux 0
line vty 0 4
 login local
!
End

AAA Configuration.... (access to console goes directly to priv15 level,
no matter what. Vty comes up with an error indicating "error in
authentication")
!
hostname R2
!
aaa new-model
aaa authentication login con local
!
username level15 privilege 15 password 0 level15 username level7
privilege 7 password 0 level7 !
!interface Serial0
 ip address 192.168.1.2 255.255.255.0
!
!
line con 0
 login authentication con
line aux 0
line vty 0 4
 login authentication con
!
End

Dave Schulz,
Email: dschulz@dpsciences.com <mailto:dschulz@dpsciences.com >

• Next message: dusth@comcast.net: "RE: DHCP vs irdp (interesting question)"
• Previous message: Luis Rueda: "RE: DHCP vs irdp (interesting question)"
• Maybe in reply to: Schulz, Dave: "AAA vs. Non-AAA privileges"
• Next in thread: Schulz, Dave: "RE: AAA vs. Non-AAA privileges"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sun Nov 06 2005 - 22:00:50 GMT-3