RE: AAA vs. Non-AAA privileges

From: De Witt, Duane (duane.dewitt@siemens.com)
Date: Wed Oct 12 2005 - 15:23:13 GMT-3

• Next message: Ed Lui: "Re: DOT1Q NATIVE VLAN STANDARD or NON-STANDARD"
• Previous message: De Witt, Duane: "RE: DOT1Q NATIVE VLAN STANDARD or NON-STANDARD"
• Maybe in reply to: Schulz, Dave: "AAA vs. Non-AAA privileges"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

My guess is that it is hidden to prevent you from accidentally locking you out of your console? If you specify radius without local or none and the server is not available would you still be able to get in?

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of Schulz, Dave
Sent: 12 October 2005 03:52 PM
To: Kulcsar Andras Benjamin
Cc: ccielab@groupstudy.com
Subject: RE: AAA vs. Non-AAA privileges

Kulcsar -

Thanks! That was the ticket! It working as expected...the interesting thing about this is, that the "console" command is a hidden command on my load, not viewable with the ?. This leaves me to wonder why there wouldn't be a similar config for the vty, as it appears to work without this modification. Interesting!

Dave Schulz,
Email: dschulz@dpsciences.com

-----Original Message-----
From: Kulcsar Andras Benjamin [mailto:Kulcsar.Andras@lnx.hu]
Sent: Wednesday, October 12, 2005 9:17 AM
To: Schulz, Dave; ccielab@groupstudy.com
Subject: RE: AAA vs. Non-AAA privileges

Hi Dave,
Try the "aaa authorization console" command.

Regards,
Andras Kulcsar

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of Schulz, Dave
Sent: Wednesday, October 12, 2005 3:10 PM
To: Gustavo Novais; ccielab@groupstudy.com
Subject: RE: AAA vs. Non-AAA privileges

Thanks, Gustavo. I appreciate the suggestions. I tried it and this fixes the issues on vty ports, but the console still allows access to level 15 with a level 7 password. Here is the new config:

hostname R2
!
aaa new-model
aaa authentication login con local
aaa authorization exec con local
!
username level15 privilege 15 password 0 level15
username level7 privilege 7 password 0 level7
!
interface Serial0
 ip address 192.168.1.2 255.255.255.0
!
privilege exec level 7 show
!
line con 0
 authorization exec con
 login authentication con
line aux 0
line vty 0 4
 authorization exec con
 login authentication con
!
end

Dave Schulz,
Email: dschulz@dpsciences.com

-----Original Message-----
From: Gustavo Novais [mailto:gustavo.novais@novabase.pt]
Sent: Wednesday, October 12, 2005 8:46 AM
To: Schulz, Dave; ccielab@groupstudy.com
Subject: RE: AAA vs. Non-AAA privileges

Hi

Just one suggestion...
Authentication is access to the router (granted|denied). Authorization is what you can do. Fits very well on what will be the privilege level that a user may have. Have you tried forcing the router at looking at authorizaton level? You seem to be only looking at authentication...

aaa authorization CON exec local
line con 0
Authorization exec CON

Beware locking yourself out of the router!!

I don't have any router now for testing, but it seems to me that this may be the answer you are seeking.

HTH
Gustavo

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of Schulz, Dave
Sent: quarta-feira, 12 de Outubro de 2005 13:24
To: ccielab@groupstudy.com
Subject: AAA vs. Non-AAA privileges

This is an extension of further research on the privilege commands.... It appears that non-aaa commands work great and as expected with the following. However, the aaa commands do not work with privileges the way I would expect. Thanks, Ian for your insights. Here are the two scenarios. Any thoughts on the aaa....bug? or, work as expected?

NON-AAA Configuration.....(access to console and vty recognizes
privileges)

!
hostname R2
!
username level15 privilege 15 password 0 level15 username level7 privilege 7 password 0 level7 ! !interface Serial0 ip address 192.168.1.2 255.255.255.0 ! ! line con 0 login local line aux 0 line vty 0 4 login local ! End

AAA Configuration.... (access to console goes directly to priv15 level, no matter what. Vty comes up with an error indicating "error in
authentication")
!
hostname R2
!
aaa new-model
aaa authentication login con local
!
username level15 privilege 15 password 0 level15 username level7 privilege 7 password 0 level7 ! !interface Serial0 ip address 192.168.1.2 255.255.255.0 ! ! line con 0 login authentication con line aux 0 line vty 0 4 login authentication con ! End

Dave Schulz,
Email: dschulz@dpsciences.com <mailto:dschulz@dpsciences.com >

• Next message: Ed Lui: "Re: DOT1Q NATIVE VLAN STANDARD or NON-STANDARD"
• Previous message: De Witt, Duane: "RE: DOT1Q NATIVE VLAN STANDARD or NON-STANDARD"
• Maybe in reply to: Schulz, Dave: "AAA vs. Non-AAA privileges"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sun Nov 06 2005 - 22:00:50 GMT-3