Hi Mohammed,

I applied what you suggested but am still having the same issue here!

When a user first authenticates, he will be in an unprivileged mode with priv 1, now in order to move to a privielged mode he should input the "enable" command! So, there is no way except for entering the enable command.

Please find attached the updated config. I would really appreciate your input here.

R/ Haihtam

Haitham,

When you do "enable" then as i told you in my initial post, this will force the user to go to level 15 and you'll lose any authorization configured.

Are you testing using telnet or console, and are you using telnet or ssh and which IOS version ? In order for me to be aware of the complete scenario.

Below is a simple lab, with the intended results:

On R6

=====

aaa new-model

!

!

aaa authentication login default local

aaa authorization config-commands

aaa authorization exec default local

aaa authorization commands 0 default local

aaa authorization commands 1 default local

aaa authorization commands 3 default local

aaa authorization commands 15 default local

!

aaa session-id common

username m password 0 m

username mmm privilege 3 password 0 mmm

privilege interface level 3 ip address

privilege interface level 3 ip

privilege configure level 3 interface

privilege exec level 3 configure terminal

privilege exec level 3 configure

line con 0

line aux 0

line vty 0 4

privilege level 15 <-- Just to illustrate that it won't affect the Authorization

password cisco

From R5

=======

R5#192.168.56.6

Trying 192.168.56.6 ... Open

User Access Verification

Username: mmm

Password:

R6#sh priv

R6#sh privilege

Current privilege level is 3

R6#

BR,

Mohammed Mahmoud.

Hi Mohammed,

I tried the sample config which you provided and it worked just fine as long as I am still in the unprivileged mode.

But in order to apply any of the commands which we restricted the use of with "privilege" command, we have to login to the enabled mode which takes the user to priv 15 and then he will have unrestrcited access!

What I would like to accomplish is to define user roles with specific access privilges such as ability to run show commands only, or ability to run specific config commands such as routing configs or ACL ... etc, even though the user is logged to the config mode! How is this possible using local authorization?

R/ Haitham

Hi Haitham,

Please post your configuration, below is the output of my R6 (with the above sample configuration) with the intended results (with only level 1 commands + the extra commands via the privilege command), there seems to be a problem on your router:

RackTS>r6

Trying R6 (192.168.1.70, 2038)... Open

User Access Verification

Username: mmm

Password:

R6#sh priv

R6#sh privilege

Current privilege level is 3

R6#?

Exec commands:

access-enable Create a temporary Access-List entry

access-profile Apply user-profile to interface

call Voice call

clear Reset functions

configure Enter configuration mode

connect Open a terminal connection

crypto Encryption related commands.

disable Turn off privileged commands

disconnect Disconnect an existing network connection

enable Turn on privileged commands

exit Exit from the EXEC

help Description of the interactive help system

lat Open a lat connection

lock Lock the terminal

login Log in as a particular user

logout Exit from the EXEC

modemui Start a modem-like user interface

mrinfo Request neighbor and version information from a multicast

router

mstat Show statistics after multiple multicast traceroutes

mtrace Trace reverse multicast path from destination to source

name-connection Name an existing network connection

pad Open a X.29 PAD connection

ping Send echo messages

ppp Start IETF Point-to-Point Protocol (PPP)

release Release a resource

renew Renew a resource

resume Resume an active network connection

rlogin Open an rlogin connection

set Set system parameter (not config)

show Show running system information

slip Start Serial-line IP (SLIP)

ssh Open a secure shell client connection

systat Display information about terminal lines

tclquit Quit Tool Command Language shell

telnet Open a telnet connection

terminal Set terminal line parameters

tn3270 Open a tn3270 connection

traceroute Trace route to destination

tunnel Open a tunnel connection

udptn Open an udptn connection

where List active connections

x28 Become an X.28 PAD

x3 Set X.3 parameters on PAD

R6#conf t

Enter configuration commands, one per line. End with CNTL/Z.

R6(config)#?

Configure commands:

atm Enable ATM SLM Statistics

call Configure Call parameters

default Set a command to its defaults

dss Configure dss parameters

end Exit from configure mode

exit Exit from configure mode

help Description of the interactive help system

interface Select an interface to configure

no Negate a command or set its defaults

oer Optimized Exit Routing configuration submodes

R6(config)#inter

R6(config)#interface f0/0

R6(config-if)#?

Interface configuration commands:

default Set a command to its defaults

exit Exit from interface configuration mode

help Description of the interactive help system

ip Interface Internet Protocol config commands

no Negate a command or set its defaults

BR,

Mohammed Mahmoud.

Hi Mohammed,

Please find attached the capture result after logging in with a priv 3 user.

Attached you will also find the config. I am logging in using console.

Again, what I am looking for is to restrict the user access in config t mode, currently with the attached config, the user "manager" is able to browse to all the config mode commands! I need this user to be able to run specific commands only such as "shutdown" and "ip address" as interface-specific commands.

Appreciate your help on this.

R/ Haitham

Hi Haitham,

From your output, i can see that it is working fine, the only issue is that i don't understand why do you do "enable" after being logged in Priv3 (as i told you before this will take you to Priv 15 and override any authorization configured), can you please do do "conf t" just after logging in with Priv3 (without doing "enable"), and post a "?", and then enter the interface mode and post another "?".

BR,

Mohammed Mahmoud.

Hi Mohammed,

Now I got you that I should not enter the "enable" command, but how is the user able to execute the "enable" command although I am not giving him that permission thru my privilege commands configuration!

How can I restrict the user accessing the conf t thru the enable mode?

R/ Haitham

Hi Carl,

The "privielge level 15" command has no effect with AAA authorization enabled.

BR,

Mohammed Mahmoud.

Mohammed,

It appears that in this case it is definitely having an effect.

Applied the following..

!

username cisco privilege 4 password 0 cisco

!

aaa new-model

aaa authentication login default local

aaa authorization exec notest none

aaa session-id common

!

line vty 0 4

privilege level 3

!

line vty 5 15

privilege level 3

!

connect...

neteng-lab-switch#show priv

Current privilege level is 3

config...

neteng-lab-switch(config)#line vty 0 15

neteng-lab-switch(config-line)#no privilege level

connect...

neteng-lab-switch>show priv

Current privilege level is 1

config...

neteng-lab-switch(config)#aaa authorization exec default local

connect...

neteng-lab-switch#show priv

Current privilege level is 4

Carl,

Exactly, what you labed is what i've said, it will have no effect as long as you have configured AAA authorization (in your output, after enabling authorization you get priv 4, according to the username command rather than priv 3 as configured under the VTY).

On the other hand, what Haitham is facing here is that when he access the router, he gets in with priv 1, and then he explicitly do "enable" and that is what gets him into priv level 15, not the "privilege level 15" under the VTYs.

BR,

Mohammed Mahmoud.

I see what you're saying now.

Oringally you said "has no impact if 'aaa authorization' is enabled" and I'm considering 'aaa authorization exec notest none' as the aaa authorization service being enabled so I misunderstood you.