Hi Cristian,
Thanks for your prompt response and do I understand that ACS server is
important and will make the life easy but right now I'm testing it in my
lab only.
Still I'm in doubt because if I only use privileges it will work properly
e.g the below configuration I did in my lab router which is working fine.
*username abc privilege 5 password 12345privilege exec level 5 sh run line
con 0privilege level 15*The above configuration is applying this setting on
all level 5 users.
Now I use aaa and assume I remove the privilege configuration and my goal
to allow sh run command only for user abc or X
*aaa authentication login con localaaa authorization exec con local*
*line console 0*
* login authentication con*
* authorization exec con*
In above aaa configuration I have enable authentication and authorization
for exec mode and also apply it on console.
Now what and where I have to use authorization commands to allow only sh
run for user abc or X and how those commands will be associate with
authorization configuration.
I know there is other way also by using view but right now I'm looking to
do this by using only aaa in local database.
Thanks,
On Mon, Mar 24, 2014 at 4:16 PM, Cristian Matei <cmatei_at_ine.com> wrote:
> Hi,
>
> Because doing local command authorization (ASA, IOS, Nexus, etc) is not
> scalable, I highly recommend going with an external TACACS server; if you
> can9t afford buying Cisco9s ACS solution, there are free available TACACS
> servers running on linux.
> The way local command authorization works is totally different than how
> remote(TACACS) authorization works; with remote you get all users into
> privilege-level 15 and for each typed command, IOS will ask the TACACS
> server if that user is allowed to use that command. With local
> Authorization, you need to assign to users non-default privilege-levels,
> like from 2-14 (although you can use 0 and 1 it is NOT recommended) and
> change the default privilege-level of the commands; for example if you
> want user X to have access on configuring RIP, and user X will be assigned
> privilege-level 8, you need to put the RIP commands from default
> privilege-level 15 to level 8. There is another option (which is better)
> with local command authorization (not available on ASA for example), which
> is RBAC or as it9s known by configuring 3views2; with this you basically
> move away from the privilege-level stuff, you take a set of commands, map
> it to a view and make sure that when the user logs in it is assigned that
> view, which means it has access to ONLY commands from the 3view2; you can
> also do view nesting.
> However this is not scalable and the management overhead is huge, you
> quickly find out that buying Cisco ACS is not expensive at all.
>
> Regards,
>
> Cristian Matei, 2 x CCIE #23684 (R&S/SC)
> cmatei_at_INE.com
>
> Internetwork Expert, Inc.
> http://www.INE.com
>
>
>
> On 24/03/14 15:04, "Marish Shah" <contactmarish_at_gmail.com> wrote:
>
> >Hi Experts,
> >
> >I'm working on AAA and having problems with it and looking for your kind
> >response to clarify it.
> >
> >My question is related to authorization by using local database, as per my
> >understanding(correct me if I'm wrong) we use authorization
> >to allow the specific commands for users or privileges levels. So If I
> >want
> >that user X will able to execute sh run and user Y will able
> >to execute only sh start-up command how can I configure this by using
> >local
> >database.
> >
> >Below are configuration I have already done
> >
> >aaa new-model
> >Username X password 1234
> >Username y password 1234
> >
> >aaa authentication login default local
> >aaa authorization exec default local
> >
> >Now how can I associate the usernames with authorization and assign the
> >specific commands
> >
> >Thanks,
> >
> >
> >Blogs and organic groups at http://www.ccie.net
> >
> >_______________________________________________________________________
> >Subscription information may be found at:
> >http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>
-- Marish Shah CCNP, CCSP, JNCIA-ER, JNCIS-ER Network Engineer , Sahara Net Blogs and organic groups at http://www.ccie.netReceived on Mon Mar 24 2014 - 16:58:19 ART
This archive was generated by hypermail 2.2.0 : Thu Apr 03 2014 - 17:12:31 ART