Re: Authorization with local database from Cristian Matei on 2014-03-24 (Ccielab archives 03/2014)

From: Cristian Matei <cmatei_at_ine.com>
Date: Mon, 24 Mar 2014 08:16:38 -0500

Hi,

   Because doing local command authorization (ASA, IOS, Nexus, etc) is not
scalable, I highly recommend going with an external TACACS server; if you
can9t afford buying Cisco9s ACS solution, there are free available TACACS
servers running on linux.
   The way local command authorization works is totally different than how
remote(TACACS) authorization works; with remote you get all users into
privilege-level 15 and for each typed command, IOS will ask the TACACS
server if that user is allowed to use that command. With local
Authorization, you need to assign to users non-default privilege-levels,
like from 2-14 (although you can use 0 and 1 it is NOT recommended) and
change the default privilege-level of the commands; for example if you
want user X to have access on configuring RIP, and user X will be assigned
privilege-level 8, you need to put the RIP commands from default
privilege-level 15 to level 8. There is another option (which is better)
with local command authorization (not available on ASA for example), which
is RBAC or as it9s known by configuring 3views2; with this you basically
move away from the privilege-level stuff, you take a set of commands, map
it to a view and make sure that when the user logs in it is assigned that
view, which means it has access to ONLY commands from the 3view2; you can
also do view nesting.
   However this is not scalable and the management overhead is huge, you
quickly find out that buying Cisco ACS is not expensive at all.

Regards,

Cristian Matei, 2 x CCIE #23684 (R&S/SC)
cmatei_at_INE.com

Internetwork Expert, Inc.
http://www.INE.com

On 24/03/14 15:04, "Marish Shah" <contactmarish_at_gmail.com> wrote:

>Hi Experts,
>
>I'm working on AAA and having problems with it and looking for your kind
>response to clarify it.
>
>My question is related to authorization by using local database, as per my
>understanding(correct me if I'm wrong) we use authorization
>to allow the specific commands for users or privileges levels. So If I
>want
>that user X will able to execute sh run and user Y will able
>to execute only sh start-up command how can I configure this by using
>local
>database.
>
>Below are configuration I have already done
>
>aaa new-model
>Username X password 1234
>Username y password 1234
>
>aaa authentication login default local
>aaa authorization exec default local
>
>Now how can I associate the usernames with authorization and assign the
>specific commands
>
>Thanks,
>
>
>Blogs and organic groups at http://www.ccie.net
>
>_______________________________________________________________________
>Subscription information may be found at:
>http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Mon Mar 24 2014 - 08:16:38 ART

This archive was generated by hypermail 2.2.0 : Thu Apr 03 2014 - 17:12:31 ART