Re: Exec authorization versus command authorization?

From: John (jgarrison1@austin.rr.com)
Date: Tue Nov 04 2008 - 02:47:15 ARST

• Next message: Scott M Vermillion: "RE: QOS Advice"
• Previous message: ccietester55 ccietester55: "Exec authorization versus command authorization?"
• Maybe in reply to: ccietester55 ccietester55: "Exec authorization versus command authorization?"
• Next in thread: ccietester55 ccietester55: "Re: Exec authorization versus command authorization?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

I could be off, but all your useing aaa for is to use the local database for
authorization. Instead of using a TACACS or RADIUS server. There might be
a perfectly logical reason to configure it like that, but I can't see it.
To me you could delete the aaa configurattion and use login local on vty x
y, since you've defined priv levels with the other commands
----- Original Message -----
From: "ccietester55 ccietester55" <ccietester55@gmail.com>
To: <ccielab@groupstudy.com>
Sent: Monday, November 03, 2008 10:16 PM
Subject: Exec authorization versus command authorization?

> Hi all.
>
> I've been studying the use of AAA authorization. I'm having trouble
> understanding the need for the "aaa authorization command" command. I
> have configured the following on a router:
> aaa new-model
> aaa authorization exec default local
> username admin privilege 15 password admin
> username helpdesk privilege 1 password helpdesk
> privilege exec level 1 configure terminal
> privilege exec level 8 reload
>
> This configuration allows the router to recognise the user's assigned
> privilege level when they login. It also allows the "helpdesk" user to
> run "configure terminal" due to the command being moved to level 1.
> The "helpdesk" user cannot run the "reload" command because it is a
> level 8 command and the "helpdesk" user is only level 1.
>
> So what additional functionality is enabled by adding "aaa
> authorization commands" to this configuration? Some of the
> explanations I have seen for the command say it turns on
> authentication for commands at a particular level, but this doesn't
> seem to be right because when I make these config changes:
> no aaa authorization exec default local
> aaa authorization commands 9 default local
>
> there is no change to the router behaviour. The "helpdesk" user still
> cannot use the "reload" commmand even though it is a level 8 command
> and I have configured authorization for level 9 and above commands.
>
>
> This is driving me nuts. Please help me understand.
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net

• Next message: Scott M Vermillion: "RE: QOS Advice"
• Previous message: ccietester55 ccietester55: "Exec authorization versus command authorization?"
• Maybe in reply to: ccietester55 ccietester55: "Exec authorization versus command authorization?"
• Next in thread: ccietester55 ccietester55: "Re: Exec authorization versus command authorization?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Dec 01 2008 - 08:18:29 ARST