Re: Exec authorization versus command authorization?

From: Pavel Bykov (slidersv@gmail.com)
Date: Wed Nov 05 2008 - 14:03:27 ARST

• Next message: Darby Weaver: "Re: IE Announcement"
• Previous message: Pavel Bykov: "Re: Vote For Change!"
• Maybe in reply to: ccietester55 ccietester55: "Exec authorization versus command authorization?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

You asked for differences, so the one from top of the head is that normally,
you need to type "password" and "login" on your lines, and setup enable
authentication.
Using aaa new model and "default" scheme, it is applied everywhere
automatically. So if you'd use authentication, it would be applied even
without any commands on vty, aux or con.

On Tue, Nov 4, 2008 at 5:16 AM, ccietester55 ccietester55 <
ccietester55@gmail.com> wrote:

> Hi all.
>
> I've been studying the use of AAA authorization. I'm having trouble
> understanding the need for the "aaa authorization command" command. I
> have configured the following on a router:
> aaa new-model
> aaa authorization exec default local
> username admin privilege 15 password admin
> username helpdesk privilege 1 password helpdesk
> privilege exec level 1 configure terminal
> privilege exec level 8 reload
>
> This configuration allows the router to recognise the user's assigned
> privilege level when they login. It also allows the "helpdesk" user to
> run "configure terminal" due to the command being moved to level 1.
> The "helpdesk" user cannot run the "reload" command because it is a
> level 8 command and the "helpdesk" user is only level 1.
>
> So what additional functionality is enabled by adding "aaa
> authorization commands" to this configuration? Some of the
> explanations I have seen for the command say it turns on
> authentication for commands at a particular level, but this doesn't
> seem to be right because when I make these config changes:
> no aaa authorization exec default local
> aaa authorization commands 9 default local
>
> there is no change to the router behaviour. The "helpdesk" user still
> cannot use the "reload" commmand even though it is a level 8 command
> and I have configured authorization for level 9 and above commands.
>
>
> This is driving me nuts. Please help me understand.
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>

-- 
Pavel Bykov
-------------------------------------------------
Stop the braindumps!
http://www.stopbraindumps.com/
Blogs and organic groups at http://www.ccie.net

• Next message: Darby Weaver: "Re: IE Announcement"
• Previous message: Pavel Bykov: "Re: Vote For Change!"
• Maybe in reply to: ccietester55 ccietester55: "Exec authorization versus command authorization?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Dec 01 2008 - 08:18:29 ARST