From: Schulz, Dave (DSchulz@dpsciences.com)
Date: Wed Oct 12 2005 - 10:52:09 GMT-3
Kulcsar -
Thanks! That was the ticket! It working as expected...the interesting thing about this is, that the "console" command is a hidden command on my load, not viewable with the ?. This leaves me to wonder why there wouldn't be a similar config for the vty, as it appears to work without this modification. Interesting!
Dave Schulz,
Email: dschulz@dpsciences.com
-----Original Message-----
From: Kulcsar Andras Benjamin [mailto:Kulcsar.Andras@lnx.hu]
Sent: Wednesday, October 12, 2005 9:17 AM
To: Schulz, Dave; ccielab@groupstudy.com
Subject: RE: AAA vs. Non-AAA privileges
Hi Dave,
Try the "aaa authorization console" command.
Regards,
Andras Kulcsar
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of Schulz, Dave
Sent: Wednesday, October 12, 2005 3:10 PM
To: Gustavo Novais; ccielab@groupstudy.com
Subject: RE: AAA vs. Non-AAA privileges
Thanks, Gustavo. I appreciate the suggestions. I tried it and this fixes the issues on vty ports, but the console still allows access to level 15 with a level 7 password. Here is the new config:
hostname R2
!
aaa new-model
aaa authentication login con local
aaa authorization exec con local
!
username level15 privilege 15 password 0 level15
username level7 privilege 7 password 0 level7
!
interface Serial0
ip address 192.168.1.2 255.255.255.0
!
privilege exec level 7 show
!
line con 0
authorization exec con
login authentication con
line aux 0
line vty 0 4
authorization exec con
login authentication con
!
end
Dave Schulz,
Email: dschulz@dpsciences.com
-----Original Message-----
From: Gustavo Novais [mailto:gustavo.novais@novabase.pt]
Sent: Wednesday, October 12, 2005 8:46 AM
To: Schulz, Dave; ccielab@groupstudy.com
Subject: RE: AAA vs. Non-AAA privileges
Hi
Just one suggestion...
Authentication is access to the router (granted|denied). Authorization is what you can do. Fits very well on what will be the privilege level that a user may have. Have you tried forcing the router at looking at authorizaton level? You seem to be only looking at authentication...
aaa authorization CON exec local
line con 0
Authorization exec CON
Beware locking yourself out of the router!!
I don't have any router now for testing, but it seems to me that this may be the answer you are seeking.
HTH
Gustavo
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of Schulz, Dave
Sent: quarta-feira, 12 de Outubro de 2005 13:24
To: ccielab@groupstudy.com
Subject: AAA vs. Non-AAA privileges
This is an extension of further research on the privilege commands.... It appears that non-aaa commands work great and as expected with the following. However, the aaa commands do not work with privileges the way I would expect. Thanks, Ian for your insights. Here are the two scenarios. Any thoughts on the aaa....bug? or, work as expected?
NON-AAA Configuration.....(access to console and vty recognizes
privileges)
!
hostname R2
!
username level15 privilege 15 password 0 level15 username level7 privilege 7 password 0 level7 ! !interface Serial0 ip address 192.168.1.2 255.255.255.0 ! ! line con 0 login local line aux 0 line vty 0 4 login local ! End
AAA Configuration.... (access to console goes directly to priv15 level, no matter what. Vty comes up with an error indicating "error in
authentication")
!
hostname R2
!
aaa new-model
aaa authentication login con local
!
username level15 privilege 15 password 0 level15 username level7 privilege 7 password 0 level7 ! !interface Serial0 ip address 192.168.1.2 255.255.255.0 ! ! line con 0 login authentication con line aux 0 line vty 0 4 login authentication con ! End
Dave Schulz,
Email: dschulz@dpsciences.com <mailto:dschulz@dpsciences.com >
This archive was generated by hypermail 2.1.4 : Sun Nov 06 2005 - 22:00:50 GMT-3