Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

AAA authorization commands

Hi All

Probably i am going to ask a stupid question but i am really confused regarding the purpose of "aaa authorization commands x default local" command. I understand that if this command is configured, it authorizes each and every command of that level but in my experience, this command is not doing anything. The outcome is same whether it is configured or not.

Following is my aaa part config

username cisco privilege 15 secret cisco 

aaa new-model

aaa authentication login default local enable

aaa authorization exec default local if-authenticated

aaa authorization commands 15 default local if-authenticated

Now whether i keep the last command or remove it, username "cisco" is able to use every level 15 command so my question is, why i bother configuring this command?

 

Would really appreciate your quick reply

Regards

Everyone's tags (2)
2 ACCEPTED SOLUTIONS

Accepted Solutions
Cisco Employee

I was just playing around in

I was just playing around in my lab with your configuration example and I can confirm that you don't need aaa authorization commands command. To answer your second question: That is correct, you can have a user authorized as priv level 15 but restrict that same user to only execute a set of commands.

I would highly recommend that you download and install GNS3 and test your configurations :) In addition, I think the following link will provide some more insights:

http://www.dslreports.com/faq/9815

 

Thank you for rating helpful posts!

Hi Shahza, As per my

Hi Shahza,

 

As per my understanding for the local user database you do not need to have the aaa authorization set in network device..... if you use any Tacacs+ / Radius authentication servers, then it will be more effective..... you can set an attributes to the user profile and through that you can play around the config level access to users at certain level......

 

When it is with local database, it takes the authorization based on the privileage level which we set locally on the device and it never looks for the aaa reference..... authorization on local is limited and more it is limited to the privileage level sets on the specific profile.....

 

You can go through the below mentioned document for your learning on aaa.....

 

http://www.cisco.com/c/en/us/td/docs/ios/12_2/security/command/reference/fsecur_r.html

 

Regards

Karthik

9 REPLIES
Community Member

Any Help Plz ??

Any Help Plz ??

Cisco Employee

I think a better question

I think a better question would be "What exactly are you trying to accomplish?" There is nothing in your current configuration that would prevent the "cisco" user from executing commands. The AAA commands are instructing the device to look at the "local" database for both authentication and authorization. The local "cisco" user is configured with a privilege level 15. So when the device queries the database (in this case the local router/switch database), the device would get a privilege level 15 return for that user. Thus, allowing that user to run all commands. Now, let's assume that you had a second user configured with privilege level 10 then that user will not be allowed to execute any commands higher than that level.

Hope this helps!

 

Thank you for rating helpful posts!

Community Member

Thanx Neno for your prompt

Thanx Neno for your prompt reply

I think i couldnt put my question in a better way....I understand my configuration will work straightaway and infact, i have tested it too....My question is that can i skip "aaa authorization commands 15 default local" command for what i want to achieve (giving user "cisco" a privilege level of 15)? Because apparently there is no affect of this command. If i remove it, still user "cisco" can run all level 15 commands.

Even for level 10 user, he wouldn't able to run any command higher than level 10 anyway regardless this command (aaa authorization commands 15 default local) is configured or not. My question is what is the purpose of this command then?? If this command is authorizing level 15 commands, then ideally, no user should have been able to run level 15 commands (even with privilege level 15) but this is not the case. User "cisco" can run all level 15 commands regardless this command is configured or not. So in my point of view, this command is not doing anything?

Your help will really be appreciated!!

Regards 

Cisco Employee

This command checks whether

This command checks whether you are authorized to execute commands in the Global Exec. If you don't type in this command, the device does not check to authorize level 15 commands even if an authorization list for level 15 commands has been applied under the vty or console terminal.

The aaa authorization exec determines if the user should start in the exec shell (privilege exec mode). In your situation the user is configured with priv level 15 so that user will be immediately placed in the exec shell and won't need to type the enable secret/password. Now you can further lock down the session by configuring the device to authorize the privilege level 1,2,...15 level commands with the aaa authorization commands levelThis can be particularly useful when you use a TACACS+ server and command authorization sets. For instance, you can have an authenticating user be given a privilege-level 15 but prevent that user from issuing any commands except: show, debug, etc, by associating a command authorization set with that user.

With all of that being said, I am not sure how useful this would be in your situation since you are using local database and not an AAA server.

Hope this helps!

 

Thank you for rating helpful posts!

Community Member

Thanx a lot for your quick

Thanx a lot for your quick response. Really appreciate that.

So does this mean, can i safely assume that if i am using local database then i don't require "aaa authorization command level" command??

that is following should be the config

username cisco privilege 15 secret cisco 

aaa new-model

aaa authentication login default local enable

aaa authorization exec default local if-authenticated

privilege exec level 15 show   (just an example)
privilege exec level 15 debug

I have tested this and it worked fine without using "aaa authorization command level"

Moreover, regarding the use of AAA server, my eventual plan is to use TACACS+ but before that,  i wanted to get a good grip of AAA functionality and therefore started off with local user database.  

So u mean to say, if i am using TACACS+ for authentication and authorization purposes and in ACS Server, user "cisco" has been assigned level 15 but with authorization set of "show" and "debug" only then by using "aaa authorization commands level" in a router, i can successfully restrict user "cisco" to "debug" and "show" only? In my point of view, i can achieve this anyway (restricting "cisco" user to only use "show and debug) without using "aaa authorization command level" (like i tested with local database)??

will really appreciate your kind response

 

Community Member

Any one plz confirm my

Any one plz confirm my understanding??

Hi Shahza, As per my

Hi Shahza,

 

As per my understanding for the local user database you do not need to have the aaa authorization set in network device..... if you use any Tacacs+ / Radius authentication servers, then it will be more effective..... you can set an attributes to the user profile and through that you can play around the config level access to users at certain level......

 

When it is with local database, it takes the authorization based on the privileage level which we set locally on the device and it never looks for the aaa reference..... authorization on local is limited and more it is limited to the privileage level sets on the specific profile.....

 

You can go through the below mentioned document for your learning on aaa.....

 

http://www.cisco.com/c/en/us/td/docs/ios/12_2/security/command/reference/fsecur_r.html

 

Regards

Karthik

Community Member

Thanx a lot Neno and Karthik

Thanx a lot Neno and Karthik  for your time

Well i got an idea now.....that i have to use TACACS+ to make proper use of authorization command option.

Thanx once again for your time. 

Cisco Employee

I was just playing around in

I was just playing around in my lab with your configuration example and I can confirm that you don't need aaa authorization commands command. To answer your second question: That is correct, you can have a user authorized as priv level 15 but restrict that same user to only execute a set of commands.

I would highly recommend that you download and install GNS3 and test your configurations :) In addition, I think the following link will provide some more insights:

http://www.dslreports.com/faq/9815

 

Thank you for rating helpful posts!

1444
Views
7
Helpful
9
Replies
CreatePlease to create content