Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
499
Views
0
Helpful
1
Replies

how to prevent local aaa users to login

ccs_jet_user
Level 1
Level 1

‎02-27-2008 04:01 AM - edited ‎03-10-2019 03:41 PM

Hi!

Please could you help me with my question:

My Cisco router R1 aaa configuration:

username user1 privilege 15 password user1

username user2 password user2

aaa authentication login default local

aaa authorization exec default local

aaa authentication ppp PPP_MODEM local

aaa authorization network PPP_MODEM local

So, I want to:

allow user1 to have full terminal access to R1

deny user2 to have any terminal access to R1 but allow user2 to connect to R1 via PPP.

I can configure privilege 0 to user2, but user2 will be able to access R1 terminal lines!

How can I prevent user2 to have management access to R1 using only local AAA services?

Labels:
0 Helpful
1 Reply 1

jsivulka
Level 5
Level 5

‎03-04-2008 10:04 AM

It is set to No Privilege by default. Set this to use group level settings. You also have to configure the enable password for the user

Here is a copy of my AAA settings:

!

aaa new-model

aaa authentication login default tacacs+ enable

aaa authentication login no_tacacs enable

aaa authentication enable default tacacs+ enable none

aaa authorization exec default tacacs+ if-authenticated

aaa authorization commands 7 default tacacs+ local

aaa authorization commands 15 default tacacs+ local

aaa accounting exec default start-stop tacacs+

!

The method no_tacacs is used for the console to prevent admin-lockouts. Doing a debug aaa authen & author was quite helpful in getting this to work.

0 Helpful
Customers Also Viewed These Support Documents