04-18-2008 02:39 PM - edited 03-05-2019 10:29 PM
Hi,
I am testing the privilege command on my router and have created different user accounts with different privilege levels but when logging in using any of these users they all give me privilege 15 unexpectedly!!
For example when logging with a user of privelege 3, when going to the enable mode and issuing the command "show priv" it gives me privilege 15!
Can you please have a look at my config and advise on this!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec notest none
!
aaa session-id common
!
resource policy
!
ip subnet-zero
username cisco privilege 15 secret xxx
username user
username manager privilege 3 password 0 manager
!
!
!
!
!
interface FastEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0/0$
ip address 10.2.2.254 255.255.255.0
ip accounting output-packets
ip accounting precedence input
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 10.1.1.254 255.255.255.0
duplex auto
speed auto
!
router rip
version 2
network 10.0.0.0
no auto-summary
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.2.2.5
!
ip http server
ip http access-class 23
privilege interface level 3 shutdown
privilege interface level 3 ip address
privilege interface level 3 ip
privilege configure level 3 interface
privilege exec level 1 clock
privilege exec level 3 configure terminal
privilege exec level 3 configure
!
line con 0
login authentication test
transport output none
line aux 0
transport output none
line vty 0 3
privilege level 15
transport input telnet ssh
transport output none
line vty 4
privilege level 15
rotary 45
transport input telnet ssh
transport output none
line vty 5 15
access-class 23 in
privilege level 15
transport input none
transport output none
!
scheduler allocate 20000 1000
ntp authentication-key 1 md5 xxx
ntp master 2
ntp update-calendar
!
end
R/ Haitham
Solved! Go to Solution.
04-21-2008 06:27 AM
Haitham,
The enable command is a level 0 command, and is inherited to all the upper levels by default, as long as you've secured it with a strong enable secret, then no worries.
More over as i've told you before you can use "enable x" to move between priv levels (with 15 as the default), and accordingly you require to secure higher level access from lower levels(if you have many levels) , and thus you need to enable a secret password per each level using the "enable secret level x <>" command (also with 15 as the default).
BR,
Mohammed Mahmoud.
04-18-2008 11:49 PM
Hi Haitham,
The issue here is that by doing the enable command you forced the router to move to level 15, enable command is used to move between levels "enable x" with the default value of 15, and this is what happened in your case, do the "show privilege" without doing enable.
[edit] Another thing that i've noticed here, is that your authorization commands are not complete, for your level 3 users to be able to do what they are illegible to do via the privilege command, you need to generally add the following lines:
aaa authorization config-commands
aaa authorization exec default local
aaa authorization commands 0 default local
aaa authorization commands 1 default local
aaa authorization commands 15 default local
BR,
Mohammed Mahmoud.
04-19-2008 01:43 AM
Hi Mohammed,
I applied what you suggested but am still having the same issue here!
When a user first authenticates, he will be in an unprivileged mode with priv 1, now in order to move to a privielged mode he should input the "enable" command! So, there is no way except for entering the enable command.
Please find attached the updated config. I would really appreciate your input here.
R/ Haihtam
04-19-2008 02:14 AM
Haitham,
When you do "enable" then as i told you in my initial post, this will force the user to go to level 15 and you'll lose any authorization configured.
Are you testing using telnet or console, and are you using telnet or ssh and which IOS version ? In order for me to be aware of the complete scenario.
Below is a simple lab, with the intended results:
On R6
=====
aaa new-model
!
!
aaa authentication login default local
aaa authorization config-commands
aaa authorization exec default local
aaa authorization commands 0 default local
aaa authorization commands 1 default local
aaa authorization commands 3 default local
aaa authorization commands 15 default local
!
aaa session-id common
username m password 0 m
username mmm privilege 3 password 0 mmm
privilege interface level 3 ip address
privilege interface level 3 ip
privilege configure level 3 interface
privilege exec level 3 configure terminal
privilege exec level 3 configure
line con 0
line aux 0
line vty 0 4
privilege level 15 <-- Just to illustrate that it won't affect the Authorization
password cisco
From R5
=======
R5#192.168.56.6
Trying 192.168.56.6 ... Open
User Access Verification
Username: mmm
Password:
R6#sh priv
R6#sh privilege
Current privilege level is 3
R6#
BR,
Mohammed Mahmoud.
04-20-2008 12:35 PM
Hi Mohammed,
I tried the sample config which you provided and it worked just fine as long as I am still in the unprivileged mode.
But in order to apply any of the commands which we restricted the use of with "privilege" command, we have to login to the enabled mode which takes the user to priv 15 and then he will have unrestrcited access!
What I would like to accomplish is to define user roles with specific access privilges such as ability to run show commands only, or ability to run specific config commands such as routing configs or ACL ... etc, even though the user is logged to the config mode! How is this possible using local authorization?
R/ Haitham
04-21-2008 12:12 AM
Hi Haitham,
Please post your configuration, below is the output of my R6 (with the above sample configuration) with the intended results (with only level 1 commands + the extra commands via the privilege command), there seems to be a problem on your router:
RackTS>r6
Trying R6 (192.168.1.70, 2038)... Open
User Access Verification
Username: mmm
Password:
R6#sh priv
R6#sh privilege
Current privilege level is 3
R6#?
Exec commands:
access-enable Create a temporary Access-List entry
access-profile Apply user-profile to interface
call Voice call
clear Reset functions
configure Enter configuration mode
connect Open a terminal connection
crypto Encryption related commands.
disable Turn off privileged commands
disconnect Disconnect an existing network connection
enable Turn on privileged commands
exit Exit from the EXEC
help Description of the interactive help system
lat Open a lat connection
lock Lock the terminal
login Log in as a particular user
logout Exit from the EXEC
modemui Start a modem-like user interface
mrinfo Request neighbor and version information from a multicast
router
mstat Show statistics after multiple multicast traceroutes
mtrace Trace reverse multicast path from destination to source
name-connection Name an existing network connection
pad Open a X.29 PAD connection
ping Send echo messages
ppp Start IETF Point-to-Point Protocol (PPP)
release Release a resource
renew Renew a resource
resume Resume an active network connection
rlogin Open an rlogin connection
set Set system parameter (not config)
show Show running system information
slip Start Serial-line IP (SLIP)
ssh Open a secure shell client connection
systat Display information about terminal lines
tclquit Quit Tool Command Language shell
telnet Open a telnet connection
terminal Set terminal line parameters
tn3270 Open a tn3270 connection
traceroute Trace route to destination
tunnel Open a tunnel connection
udptn Open an udptn connection
where List active connections
x28 Become an X.28 PAD
x3 Set X.3 parameters on PAD
R6#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R6(config)#?
Configure commands:
atm Enable ATM SLM Statistics
call Configure Call parameters
default Set a command to its defaults
dss Configure dss parameters
end Exit from configure mode
exit Exit from configure mode
help Description of the interactive help system
interface Select an interface to configure
no Negate a command or set its defaults
oer Optimized Exit Routing configuration submodes
R6(config)#inter
R6(config)#interface f0/0
R6(config-if)#?
Interface configuration commands:
default Set a command to its defaults
exit Exit from interface configuration mode
help Description of the interactive help system
ip Interface Internet Protocol config commands
no Negate a command or set its defaults
BR,
Mohammed Mahmoud.
04-21-2008 03:37 AM
Hi Mohammed,
Please find attached the capture result after logging in with a priv 3 user.
Attached you will also find the config. I am logging in using console.
Again, what I am looking for is to restrict the user access in config t mode, currently with the attached config, the user "manager" is able to browse to all the config mode commands! I need this user to be able to run specific commands only such as "shutdown" and "ip address" as interface-specific commands.
Appreciate your help on this.
R/ Haitham
04-21-2008 03:58 AM
Hi Haitham,
From your output, i can see that it is working fine, the only issue is that i don't understand why do you do "enable" after being logged in Priv3 (as i told you before this will take you to Priv 15 and override any authorization configured), can you please do do "conf t" just after logging in with Priv3 (without doing "enable"), and post a "?", and then enter the interface mode and post another "?".
BR,
Mohammed Mahmoud.
04-21-2008 06:14 AM
Hi Mohammed,
Now I got you that I should not enter the "enable" command, but how is the user able to execute the "enable" command although I am not giving him that permission thru my privilege commands configuration!
How can I restrict the user accessing the conf t thru the enable mode?
R/ Haitham
04-21-2008 06:27 AM
Haitham,
The enable command is a level 0 command, and is inherited to all the upper levels by default, as long as you've secured it with a strong enable secret, then no worries.
More over as i've told you before you can use "enable x" to move between priv levels (with 15 as the default), and accordingly you require to secure higher level access from lower levels(if you have many levels) , and thus you need to enable a secret password per each level using the "enable secret level x <>" command (also with 15 as the default).
BR,
Mohammed Mahmoud.
04-19-2008 12:39 AM
Hi Haitham,
Try removing the 'privilege level 15' statements from your vty lines.
-Carl
04-19-2008 01:35 AM
Hi Carl,
The "privielge level 15" command has no effect with AAA authorization enabled.
BR,
Mohammed Mahmoud.
04-19-2008 03:12 AM
Mohammed,
It appears that in this case it is definitely having an effect.
Applied the following..
!
username cisco privilege 4 password 0 cisco
!
aaa new-model
aaa authentication login default local
aaa authorization exec notest none
aaa session-id common
!
line vty 0 4
privilege level 3
!
line vty 5 15
privilege level 3
!
connect...
neteng-lab-switch#show priv
Current privilege level is 3
config...
neteng-lab-switch(config)#line vty 0 15
neteng-lab-switch(config-line)#no privilege level
connect...
neteng-lab-switch>show priv
Current privilege level is 1
config...
neteng-lab-switch(config)#aaa authorization exec default local
connect...
neteng-lab-switch#show priv
Current privilege level is 4
04-19-2008 03:21 AM
Carl,
Exactly, what you labed is what i've said, it will have no effect as long as you have configured AAA authorization (in your output, after enabling authorization you get priv 4, according to the username command rather than priv 3 as configured under the VTY).
On the other hand, what Haitham is facing here is that when he access the router, he gets in with priv 1, and then he explicitly do "enable" and that is what gets him into priv level 15, not the "privilege level 15" under the VTYs.
BR,
Mohammed Mahmoud.
04-19-2008 04:27 AM
I see what you're saying now.
Oringally you said "has no impact if 'aaa authorization' is enabled" and I'm considering 'aaa authorization exec notest none' as the aaa authorization service being enabled so I misunderstood you.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide