aaa authentication and privilege-mode

Answered Question
Apr 29th, 2008
User Badges:

I want to configure an aaa authentication with local user-accounts on the switch. The idea is to come directly in the privilege-mode without the enable command.


I configured the following commands:

aaa new-model

aaa authentication login default local


What other commands (authorization) are necessary to get the privilege command?


Thanks

Pascal

Correct Answer by Jagdeep Gambhir about 9 years 1 month ago

Dear,

For console you need to issue on more command.


There is a hidden command within IOS that you need to apply: "aaa authorization console".



That should fix it,



Regards,

~JG


Do rate helpful posts

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (3 ratings)
Loading.
Jagdeep Gambhir Tue, 04/29/2008 - 06:05
User Badges:
  • Red, 2250 points or more

Pascal,

Yes, privilege falls under head "authorization" so we need to have that command.


aaa authorization exec default local


Also make sure that local user have priv 15.


Regards,

~JG


Do rate helpful posts

keynet Tue, 04/29/2008 - 06:30
User Badges:

It don't work with this command. I don' come directly to privelege-mode. The user has the priv 15 level.


Regards

Pascal

Jagdeep Gambhir Tue, 04/29/2008 - 06:50
User Badges:
  • Red, 2250 points or more

Pascal,

That is not possible it should work. Can you get me the debugs and current config,


debug aaa authorization

debug aaa authentication

terminal mon


Regards,

~JG

keynet Tue, 04/29/2008 - 07:38
User Badges:

You have right. With telnet it works. It dont't work by the console. I attached my config and the debug. The debug show the loggin from the console.

Thank you for your help!!


Regards

Pascal



Correct Answer
Jagdeep Gambhir Tue, 04/29/2008 - 08:07
User Badges:
  • Red, 2250 points or more

Dear,

For console you need to issue on more command.


There is a hidden command within IOS that you need to apply: "aaa authorization console".



That should fix it,



Regards,

~JG


Do rate helpful posts

keynet Wed, 04/30/2008 - 02:51
User Badges:

Hello JG


Now, it works fine.

Thank you very much for your support!


Regards Pascal

jong_r0602 Mon, 05/05/2008 - 21:34
User Badges:

Hi,


I have the same problem in my 7200 router, before i can enter directly in priviege-mode without enable command. I dont know what command i've issued coz now when im entering in my router thru telnet im need to enter my enable passwd. Please help me.


Heres my configuration


aaa new-model

aaa authorization console

aaa authorization exec default group tacacs+ local


I tried also to copy the config of my other router but still not working. I appreciate your help.


Thanks,

Jong

Jagdeep Gambhir Tue, 05/06/2008 - 04:55
User Badges:
  • Red, 2250 points or more

Jong,

This is what we should have on router and make sure you have priv 15 defined for the user.


Router(config)# username [username] password [password]

tacacs-server host [ip]

tacacs-server key [key]

aaa new-model

aaa authentication login default group tacacs+ local

aaa authorization exec default group tacacs+ if-authenticated


On tacacs


Bring users/groups in at level 15

1. Go to user or group setup in ACS

2. Drop down to "TACACS+ Settings"

3. Place a check in "Shell (Exec)"

4. Place a check in "Privilege level" and enter "15" in the adjacent field


Now it should let you in directly to enable mode.



Regards,

~JG


Do rate helpful posts

jong_r0602 Tue, 05/06/2008 - 05:24
User Badges:

Hi JG,


I really appreciate your help. I have here the complete AAA command on my router. I just remember that I've issued a "privilege exec/commad/configure level" before this problem. Is there anything i need to check on my privilege config?


Im pretty sure much sure that I have the correct config on my ACS coz 9 out of my 10 routers working fine with authentication, authorization and accounting.


aaa new-model

!

!

aaa authentication login c3auth group tacacs+ local

aaa authorization console

aaa authorization exec default group tacacs+ local

aaa authorization exec c3auth group tacacs+ local

aaa authorization commands 0 default group tacacs+ local

aaa authorization commands 1 default group tacacs+ local

aaa authorization commands 5 c3auth group tacacs+ local

aaa authorization commands 15 default group tacacs+ local

aaa accounting session-duration ntp-adjusted

aaa accounting exec c3auth start-stop group tacacs+

aaa accounting commands 5 c3auth start-stop group tacacs+

aaa accounting commands 15 c3auth start-stop group tacacs+

aaa accounting connection c3auth start-stop group tacacs+

aaa accounting system default start-stop group tacacs+

aaa session-id common

tacacs-server host xxxxx

tacacs-server directed-request

tacacs-server key xxxxx


privilege voipdialpeer level 5 shutdown

privilege controller level 5 shutdown

privilege interface level 5 shutdown

!

privilege configure level 5 line

privilege configure level 5 dial-peer voice

privilege configure level 5 dial-peer

privilege configure level 5 interface

privilege configure level 5 controller

privilege exec all level 5 configure terminal

privilege exec level 5 configure

privilege exec level 4 show dial-peer

privilege exec level 5 show call active voice

privilege exec level 5 show call active

privilege exec level 5 show call

privilege exec level 4 show interfaces

privilege exec level 5 show running-config

privilege exec level 5 show configuration

privilege exec level 5 show

privilege exec level 5 clear counters

privilege exec level 5 clear


Regards,

Jong



Jagdeep Gambhir Tue, 05/06/2008 - 05:54
User Badges:
  • Red, 2250 points or more

Jong,

I don't think there is any need to have local priv lvl defined in the router itself, since we have acs in place. Let ACS take care of the priv and command authorization.


My suggestion is to config router as per below mentioned commands,


Router(config)# username [username] password [password]

tacacs-server host [ip]

tacacs-server key [key]

aaa new-model

aaa authentication login default group tacacs+ local

aaa authorization exec default group tacacs+ if-authenticated

aaa authorization commands 1 default group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ if-authenticated

aaa authorization config-commands



Bring users/groups in at level 15

1. Go to user or group setup in ACS

2. Drop down to "TACACS+ Settings"

3. Place a check in "Shell (Exec)"

4. Place a check in "Privilege level" and enter "15" in the adjacent field



If you use 'if-authenticated' any authentication method (line, local, etc.) will allow for successful authorization. However, if the TACACS+ server goes down during a session, all author will fail until a new authen occurs (log out and log back in). This allows for an extra security measure so that a user with low privileges cannot suddenly run any command if the AAA server goes down.


Regards,

~JG

Do rate helpful posts

jong_r0602 Tue, 05/06/2008 - 06:42
User Badges:

Hi JG,


I'll do that, thanks for the additional info. I'm removing my commands again then reenter the new one. Hope it will works to me.


Regards,

Jong


jong_r0602 Wed, 05/07/2008 - 01:33
User Badges:

Thanks alot JG, it works fine now,


Best Regards,

Jong

Actions

This Discussion