Privilege not working!!

Answered Question
Apr 18th, 2008
User Badges:

Hi,


I am testing the privilege command on my router and have created different user accounts with different privilege levels but when logging in using any of these users they all give me privilege 15 unexpectedly!!


For example when logging with a user of privelege 3, when going to the enable mode and issuing the command "show priv" it gives me privilege 15!


Can you please have a look at my config and advise on this!


version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Router

!

boot-start-marker

boot-end-marker

!

logging buffered 51200 warnings

!

aaa new-model

!

!

aaa authentication login default local

aaa authorization exec notest none

!

aaa session-id common

!

resource policy

!

ip subnet-zero

username cisco privilege 15 secret xxx

username user

username manager privilege 3 password 0 manager

!

!

!

!

!

interface FastEthernet0/0

description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0/0$

ip address 10.2.2.254 255.255.255.0

ip accounting output-packets

ip accounting precedence input

duplex auto

speed auto

!

interface FastEthernet0/1

ip address 10.1.1.254 255.255.255.0

duplex auto

speed auto

!

router rip

version 2

network 10.0.0.0

no auto-summary

!

ip classless

ip route 0.0.0.0 0.0.0.0 10.2.2.5

!

ip http server

ip http access-class 23

privilege interface level 3 shutdown

privilege interface level 3 ip address

privilege interface level 3 ip

privilege configure level 3 interface

privilege exec level 1 clock

privilege exec level 3 configure terminal

privilege exec level 3 configure

!

line con 0

login authentication test

transport output none

line aux 0

transport output none

line vty 0 3

privilege level 15

transport input telnet ssh

transport output none

line vty 4

privilege level 15

rotary 45

transport input telnet ssh

transport output none

line vty 5 15

access-class 23 in

privilege level 15

transport input none

transport output none

!

scheduler allocate 20000 1000

ntp authentication-key 1 md5 xxx

ntp master 2

ntp update-calendar

!

end


R/ Haitham

Correct Answer by mohammedmahmoud about 9 years 2 months ago

Haitham,


The enable command is a level 0 command, and is inherited to all the upper levels by default, as long as you've secured it with a strong enable secret, then no worries.


More over as i've told you before you can use "enable x" to move between priv levels (with 15 as the default), and accordingly you require to secure higher level access from lower levels(if you have many levels) , and thus you need to enable a secret password per each level using the "enable secret level x <>" command (also with 15 as the default).


BR,

Mohammed Mahmoud.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
mohammedmahmoud Fri, 04/18/2008 - 23:49
User Badges:
  • Green, 3000 points or more

Hi Haitham,


The issue here is that by doing the enable command you forced the router to move to level 15, enable command is used to move between levels "enable x" with the default value of 15, and this is what happened in your case, do the "show privilege" without doing enable.


[edit] Another thing that i've noticed here, is that your authorization commands are not complete, for your level 3 users to be able to do what they are illegible to do via the privilege command, you need to generally add the following lines:


aaa authorization config-commands

aaa authorization exec default local

aaa authorization commands 0 default local

aaa authorization commands 1 default local

aaa authorization commands 15 default local



BR,

Mohammed Mahmoud.

haithamnofal Sat, 04/19/2008 - 01:43
User Badges:

Hi Mohammed,


I applied what you suggested but am still having the same issue here!


When a user first authenticates, he will be in an unprivileged mode with priv 1, now in order to move to a privielged mode he should input the "enable" command! So, there is no way except for entering the enable command.


Please find attached the updated config. I would really appreciate your input here.


R/ Haihtam



mohammedmahmoud Sat, 04/19/2008 - 02:14
User Badges:
  • Green, 3000 points or more

Haitham,


When you do "enable" then as i told you in my initial post, this will force the user to go to level 15 and you'll lose any authorization configured.


Are you testing using telnet or console, and are you using telnet or ssh and which IOS version ? In order for me to be aware of the complete scenario.


Below is a simple lab, with the intended results:


On R6

=====


aaa new-model

!

!

aaa authentication login default local

aaa authorization config-commands

aaa authorization exec default local

aaa authorization commands 0 default local

aaa authorization commands 1 default local

aaa authorization commands 3 default local

aaa authorization commands 15 default local

!

aaa session-id common



username m password 0 m

username mmm privilege 3 password 0 mmm



privilege interface level 3 ip address

privilege interface level 3 ip

privilege configure level 3 interface

privilege exec level 3 configure terminal

privilege exec level 3 configure



line con 0

line aux 0

line vty 0 4

privilege level 15 <-- Just to illustrate that it won't affect the Authorization

password cisco



From R5

=======


R5#192.168.56.6

Trying 192.168.56.6 ... Open



User Access Verification


Username: mmm

Password:


R6#sh priv

R6#sh privilege

Current privilege level is 3

R6#


BR,

Mohammed Mahmoud.

haithamnofal Sun, 04/20/2008 - 12:35
User Badges:

Hi Mohammed,


I tried the sample config which you provided and it worked just fine as long as I am still in the unprivileged mode.


But in order to apply any of the commands which we restricted the use of with "privilege" command, we have to login to the enabled mode which takes the user to priv 15 and then he will have unrestrcited access!


What I would like to accomplish is to define user roles with specific access privilges such as ability to run show commands only, or ability to run specific config commands such as routing configs or ACL ... etc, even though the user is logged to the config mode! How is this possible using local authorization?


R/ Haitham

mohammedmahmoud Mon, 04/21/2008 - 00:12
User Badges:
  • Green, 3000 points or more

Hi Haitham,


Please post your configuration, below is the output of my R6 (with the above sample configuration) with the intended results (with only level 1 commands + the extra commands via the privilege command), there seems to be a problem on your router:


RackTS>r6

Trying R6 (192.168.1.70, 2038)... Open



User Access Verification


Username: mmm

Password:


R6#sh priv

R6#sh privilege

Current privilege level is 3

R6#?

Exec commands:

access-enable Create a temporary Access-List entry

access-profile Apply user-profile to interface

call Voice call

clear Reset functions

configure Enter configuration mode

connect Open a terminal connection

crypto Encryption related commands.

disable Turn off privileged commands

disconnect Disconnect an existing network connection

enable Turn on privileged commands

exit Exit from the EXEC

help Description of the interactive help system

lat Open a lat connection

lock Lock the terminal

login Log in as a particular user

logout Exit from the EXEC

modemui Start a modem-like user interface

mrinfo Request neighbor and version information from a multicast

router

mstat Show statistics after multiple multicast traceroutes

mtrace Trace reverse multicast path from destination to source

name-connection Name an existing network connection

pad Open a X.29 PAD connection

ping Send echo messages

ppp Start IETF Point-to-Point Protocol (PPP)

release Release a resource

renew Renew a resource

resume Resume an active network connection

rlogin Open an rlogin connection

set Set system parameter (not config)

show Show running system information

slip Start Serial-line IP (SLIP)

ssh Open a secure shell client connection

systat Display information about terminal lines

tclquit Quit Tool Command Language shell

telnet Open a telnet connection

terminal Set terminal line parameters

tn3270 Open a tn3270 connection

traceroute Trace route to destination

tunnel Open a tunnel connection

udptn Open an udptn connection

where List active connections

x28 Become an X.28 PAD

x3 Set X.3 parameters on PAD

R6#conf t

Enter configuration commands, one per line. End with CNTL/Z.

R6(config)#?

Configure commands:

atm Enable ATM SLM Statistics

call Configure Call parameters

default Set a command to its defaults

dss Configure dss parameters

end Exit from configure mode

exit Exit from configure mode

help Description of the interactive help system

interface Select an interface to configure

no Negate a command or set its defaults

oer Optimized Exit Routing configuration submodes


R6(config)#inter

R6(config)#interface f0/0

R6(config-if)#?

Interface configuration commands:

default Set a command to its defaults

exit Exit from interface configuration mode

help Description of the interactive help system

ip Interface Internet Protocol config commands

no Negate a command or set its defaults


BR,

Mohammed Mahmoud.


haithamnofal Mon, 04/21/2008 - 03:37
User Badges:

Hi Mohammed,


Please find attached the capture result after logging in with a priv 3 user.


Attached you will also find the config. I am logging in using console.


Again, what I am looking for is to restrict the user access in config t mode, currently with the attached config, the user "manager" is able to browse to all the config mode commands! I need this user to be able to run specific commands only such as "shutdown" and "ip address" as interface-specific commands.


Appreciate your help on this.


R/ Haitham



mohammedmahmoud Mon, 04/21/2008 - 03:58
User Badges:
  • Green, 3000 points or more

Hi Haitham,


From your output, i can see that it is working fine, the only issue is that i don't understand why do you do "enable" after being logged in Priv3 (as i told you before this will take you to Priv 15 and override any authorization configured), can you please do do "conf t" just after logging in with Priv3 (without doing "enable"), and post a "?", and then enter the interface mode and post another "?".


BR,

Mohammed Mahmoud.

haithamnofal Mon, 04/21/2008 - 06:14
User Badges:

Hi Mohammed,


Now I got you that I should not enter the "enable" command, but how is the user able to execute the "enable" command although I am not giving him that permission thru my privilege commands configuration!


How can I restrict the user accessing the conf t thru the enable mode?


R/ Haitham

Correct Answer
mohammedmahmoud Mon, 04/21/2008 - 06:27
User Badges:
  • Green, 3000 points or more

Haitham,


The enable command is a level 0 command, and is inherited to all the upper levels by default, as long as you've secured it with a strong enable secret, then no worries.


More over as i've told you before you can use "enable x" to move between priv levels (with 15 as the default), and accordingly you require to secure higher level access from lower levels(if you have many levels) , and thus you need to enable a secret password per each level using the "enable secret level x <>" command (also with 15 as the default).


BR,

Mohammed Mahmoud.

carl_j_meza Sat, 04/19/2008 - 00:39
User Badges:

Hi Haitham,


Try removing the 'privilege level 15' statements from your vty lines.


-Carl

mohammedmahmoud Sat, 04/19/2008 - 01:35
User Badges:
  • Green, 3000 points or more

Hi Carl,


The "privielge level 15" command has no effect with AAA authorization enabled.


BR,

Mohammed Mahmoud.

carl_j_meza Sat, 04/19/2008 - 03:12
User Badges:

Mohammed,


It appears that in this case it is definitely having an effect.


Applied the following..

!

username cisco privilege 4 password 0 cisco

!

aaa new-model

aaa authentication login default local

aaa authorization exec notest none

aaa session-id common

!

line vty 0 4

privilege level 3

!

line vty 5 15

privilege level 3

!

connect...

neteng-lab-switch#show priv

Current privilege level is 3


config...

neteng-lab-switch(config)#line vty 0 15

neteng-lab-switch(config-line)#no privilege level


connect...

neteng-lab-switch>show priv

Current privilege level is 1


config...

neteng-lab-switch(config)#aaa authorization exec default local


connect...

neteng-lab-switch#show priv

Current privilege level is 4

mohammedmahmoud Sat, 04/19/2008 - 03:21
User Badges:
  • Green, 3000 points or more

Carl,


Exactly, what you labed is what i've said, it will have no effect as long as you have configured AAA authorization (in your output, after enabling authorization you get priv 4, according to the username command rather than priv 3 as configured under the VTY).


On the other hand, what Haitham is facing here is that when he access the router, he gets in with priv 1, and then he explicitly do "enable" and that is what gets him into priv level 15, not the "privilege level 15" under the VTYs.


BR,

Mohammed Mahmoud.

carl_j_meza Sat, 04/19/2008 - 04:27
User Badges:

I see what you're saying now.


Oringally you said "has no impact if 'aaa authorization' is enabled" and I'm considering 'aaa authorization exec notest none' as the aaa authorization service being enabled so I misunderstood you.

mohammedmahmoud Sat, 04/19/2008 - 05:11
User Badges:
  • Green, 3000 points or more

Carl,


No problem, i am glade that now we agree, and i hope that we can further help the original poster in his issue.


BR,

Mohammed Mahmoud.

Actions

This Discussion