From: ccietester55 ccietester55 (ccietester55@gmail.com)
Date: Tue Nov 04 2008 - 02:16:47 ARST
Hi all.
I've been studying the use of AAA authorization. I'm having trouble
understanding the need for the "aaa authorization command" command. I
have configured the following on a router:
aaa new-model
aaa authorization exec default local
username admin privilege 15 password admin
username helpdesk privilege 1 password helpdesk
privilege exec level 1 configure terminal
privilege exec level 8 reload
This configuration allows the router to recognise the user's assigned
privilege level when they login. It also allows the "helpdesk" user to
run "configure terminal" due to the command being moved to level 1.
The "helpdesk" user cannot run the "reload" command because it is a
level 8 command and the "helpdesk" user is only level 1.
So what additional functionality is enabled by adding "aaa
authorization commands" to this configuration? Some of the
explanations I have seen for the command say it turns on
authentication for commands at a particular level, but this doesn't
seem to be right because when I make these config changes:
no aaa authorization exec default local
aaa authorization commands 9 default local
there is no change to the router behaviour. The "helpdesk" user still
cannot use the "reload" commmand even though it is a level 8 command
and I have configured authorization for level 9 and above commands.
This is driving me nuts. Please help me understand.
Blogs and organic groups at http://www.ccie.net
This archive was generated by hypermail 2.1.4 : Mon Dec 01 2008 - 08:18:29 ARST