Hi Edison,

My 3500 Series XL switch right now is configured for aaa authorization and authentication. Then I have an enable secret password plus I created one user. But I didn't create a line vty password. So when I will telnet to my switch it will ask for my username and password then after logging in I will issue the enable secret password. My question is where does the line vty password will come in?

I attached here the config. Hope you can enlighten me. Thanks.

Enabling 'aaa new-model' changes things a bit.

Per your configuration, you have indicated that you want to use local authentication:

aaa authentication login default local

which indicates to use the local username and password

If you wanted to use the line password the syntax would be:

aaa authentication login default line

In addition, if you wanted to avoid the use of the 'enable secret [password]' - you could do so by change the privilege level on the local account from:

username helios password 0 sdfsdf23Wdfgdf

to

username helios privilege 15 password 0 sdfsdf23Wdfgdf

HTH,

__

Edison.

Hi Edison,

Thanks for the info, I understand it now. I have one more question hope you can help me. Since I'm using aaa settings, how can I assign commands to be available on certain privilege levels? For example I want the command "sh ru" be available for user john and command "interface" be available only to user peter.

Hope you can help on this. Thanks.

Please refer to this link for more information on the 'privilege' command:

http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_p2.html#wp1034201

A lot of customization can be done with this command so I recommend to understand what it does before implementing.

John

The original answer provided by Edison is based on the classic default behavior of IOS devices. The classic default behavior assumes that aaa authentication is not yet configured. And in this environment configuring a password on the vty is essential to supporting remote access to the device.

In your configuration aaa authentication (and aaa new-model) is configured. And when aaa authentication is configured, then the password on the vty is not essential. It may be desirable, but it is not essential. If you do configure passwords for the vty then you can specify a backup method of authentication in case your primary method does not work. So if you do configure passwords on the vty then you might configure aaa authentication something like this:

aaa authentication login default local line

This would allow the device to authenticate with the vty password if the local authentication fails.

HTH

Rick

Rick,

Thanks a lot for your reply. It helps me understand the issue. I have one more question though as what I posted above. Is it possible to assign certain commands like "interface" or "sh ru" to be made available to certain user peter and hide the other commands to that user?

Hope you can also help me on this. Thanks.

John

It is certainly possible to change the privilege level of certain commands and to put them at a privilege level other than their default. And you can then configure certain users to be assigned certain privilege levels.

One thing to be aware of is that when you assign privilege levels to commands (perhaps like interface at level 5 and show run at level 7) that users at a privilege level (perhaps level 7) will get commands at that level and at any lower level. So the user at level 5 will only get the interface command. But the user at level 7 will get both show run and interface.

If you want a certain user to get only certain commands and some other user to get only certain other commands, then assigning privilege level to the commands is not so very effective. To accomplish that certain users have only specified commands you should do command authorization using aaa authorization commands on the router and configuring in ACS/TACACS which specific commands each user should get.

HTH

Rick

So

Hi Rick,

Thanks for this reply I really need this one. Can I configure aaa authorization commands on the switch without using ACS/TACACS? And what does it mean to configure it in ACS/TACACS? Do you also have a sample link for this?

Thanks for the reply.

John

There are 2 approaches to restricting access to commands. One approach (which is what you originally asked about) is to assign various commands to privilege levels and then to give particular users a specified privilege level which controls what commands that they have access to.

The other approach is to use command authorization. With command authorization you can specify that a particular user (or group of users) have access to some commands and not have access to other commands. I am familiar with doing this on Cisco ACS where you can build an authorization set to define what commands a user has access to. I am not sure how well it would work on a switch without using TACACS or ACS. It looks like in the syntax of configuring aaa authorization commands 15 that there is an option to specify local (which should use the database on the switch). But I can not see how to build a database or authorization set on the switch.

HTH

Rick

Hi Rick,

You're reply is very informative and it really helps me. I'd like to know more about using TACACS/ACS/Radius if you help me but in our company it is likely that we will only use local database for authorization.

Do you have guides about implementing TACACS and restricting user access of commands?

John

This link is a pretty good place to start. Look especially at part 1:

http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/fsecur_c.html

HTH

Rick

Rick,

I have read that link already. Yes it's a good place to start. Thanks for your reply. I think it's best that I will make another topic for aaa authorization using local database.

What you think?

Thanks.

John

I agree that starting a new thread focusing on authorization using the local database would be a good thing to do. The current thread and its title do not give people any clue that it is interested in authorization using the local database. A new thread with a new title could make this obvious and hopefully generate some new participants in the discussion.

HTH

Rick