Re: Authorization with local database

Hi,

So now, except your bellow config, you need to locally configure a user/pass,
assign it a privilege-level and take those commands you need it to have access
down from prig-level of 15 to its assigned privilege level. For example:

aaa authentication login con local
aaa authorization exec con local
line console 0
 login authentication con
 authorization exec con
!
username cisco privilege 11 password cisco
!
privilege exec level 11 debug eigrp packets

Now, when you authenticate with user cisco, it will be allowed to use the
debug command for eigrp.

Regards,
Cristian Matei, 2 x CCIE #23684 (R&S/SC)
cmatei_at_INE.com<mailto:cmatei_at_INE.com>

Internetwork Expert, Inc.
http://www.INE.com

From: Marish Shah <contactmarish_at_gmail.com<mailto:contactmarish_at_gmail.com>>
Date: Monday 24 March 2014 15:58
To: Cristian Matei <cmatei_at_ine.com<mailto:cmatei_at_ine.com>>
Cc: Cisco certification
<ccielab_at_groupstudy.com<mailto:ccielab_at_groupstudy.com>>
Subject: Re: Authorization with local database

Hi Cristian,

Thanks for your prompt response and do I understand that ACS server is
important and will make the life easy but right now I'm testing it in my lab
only.
Still I'm in doubt because if I only use privileges it will work properly e.g
the below configuration I did in my lab router which is working fine.

username abc privilege 5 password 12345
privilege exec level 5 sh run
line con 0
privilege level 15
The above configuration is applying this setting on all level 5 users.

Now I use aaa and assume I remove the privilege configuration and my goal to
allow sh run command only for user abc or X
aaa authentication login con local
aaa authorization exec con local
line console 0
 login authentication con
 authorization exec con

In above aaa configuration I have enable authentication and authorization for
exec mode and also apply it on console.
Now what and where I have to use authorization commands to allow only sh run
for user abc or X and how those commands will be associate with authorization
configuration.

I know there is other way also by using view but right now I'm looking to do
this by using only aaa in local database.

Thanks,

On Mon, Mar 24, 2014 at 4:16 PM, Cristian Matei
<cmatei_at_ine.com<mailto:cmatei_at_ine.com>> wrote:
Hi,

   Because doing local command authorization (ASA, IOS, Nexus, etc) is not
scalable, I highly recommend going with an external TACACS server; if you
can9t afford buying Cisco9s ACS solution, there are free available TACACS
servers running on linux.
   The way local command authorization works is totally different than how
remote(TACACS) authorization works; with remote you get all users into
privilege-level 15 and for each typed command, IOS will ask the TACACS
server if that user is allowed to use that command. With local
Authorization, you need to assign to users non-default privilege-levels,
like from 2-14 (although you can use 0 and 1 it is NOT recommended) and
change the default privilege-level of the commands; for example if you
want user X to have access on configuring RIP, and user X will be assigned
privilege-level 8, you need to put the RIP commands from default
privilege-level 15 to level 8. There is another option (which is better)
with local command authorization (not available on ASA for example), which
is RBAC or as it9s known by configuring 3views2; with this you basically
move away from the privilege-level stuff, you take a set of commands, map
it to a view and make sure that when the user logs in it is assigned that
view, which means it has access to ONLY commands from the 3view2; you can
also do view nesting.
   However this is not scalable and the management overhead is huge, you
quickly find out that buying Cisco ACS is not expensive at all.

Regards,

Cristian Matei, 2 x CCIE #23684 (R&S/SC)
cmatei_at_INE.com<mailto:cmatei_at_INE.com>

Internetwork Expert, Inc.
http://www.INE.com

On 24/03/14 15:04, "Marish Shah"
<contactmarish_at_gmail.com<mailto:contactmarish_at_gmail.com>> wrote:

>Hi Experts,
>
>I'm working on AAA and having problems with it and looking for your kind
>response to clarify it.
>
>My question is related to authorization by using local database, as per my
>understanding(correct me if I'm wrong) we use authorization
>to allow the specific commands for users or privileges levels. So If I
>want
>that user X will able to execute sh run and user Y will able
>to execute only sh start-up command how can I configure this by using
>local
>database.
>
>Below are configuration I have already done
>
>aaa new-model
>Username X password 1234
>Username y password 1234
>
>aaa authentication login default local
>aaa authorization exec default local
>
>Now how can I associate the usernames with authorization and assign the
>specific commands
>
>Thanks,
>
>
>Blogs and organic groups at http://www.ccie.net
>
>_______________________________________________________________________
>Subscription information may be found at:
>http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Tue Mar 25 2014 - 07:46:06 ART