Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1711
Views
0
Helpful
3
Replies

aaa authorization??

b-price
Level 1
Level 1

‎04-04-2003 10:10 AM - edited ‎03-10-2019 07:14 AM

I'm having trouble figuring out how to limit the commands a user can execute on a NAS (3660 router) using the local database. I have aaa authentication set up. I use the command username xxxx privilege 1 for one of my user, but it doesn't seem to restrict them from anything.

Any help would be greatly appreciated.

Labels:
0 Helpful
3 Replies 3

tepatel
Cisco Employee
Cisco Employee

‎04-04-2003 03:43 PM

You need to define the commands that you want to assign under different privilege levels. Here is the link for sample config on How to Assign Privilege Levels with TACACS+ and RADIUS

http://www.cisco.com/warp/public/480/PRIV.html

For local config of privilege levels, pl. visit config example at following location

http://www.cisco.com/warp/public/471/84.html\

0 Helpful

b-price
Level 1
Level 1
In response to tepatel

‎04-05-2003 07:10 AM

I'm not using a TACACS+ or RADIUS server yet, (budget restrictions). I'm trying to set up authorization on the local database. This is what I did:

aaa new-model

aaa authentication login default local enable

aaa authorization exec default local

username bradley privilege 5 password 7 04035D505F

privilege exec level 5 show run

privilege exec level 5 show interfaces

privilege exec level 5 show ip interface brief

privilege exec level 5 ping

to test this I have a sub interface. I log on as this person, get into Int confiuration mode and successfully shut the interface down. I only want him to be able to execute the command listed above. Why doesn't it work?

Thanks for you input.

0 Helpful

tepatel
Cisco Employee
Cisco Employee
In response to b-price

‎04-06-2003 03:32 PM

You may have entered in "enable" mode to use "conf t" and change the interface config. Enable mode is privilege 15 command which let you do everything with the router. Also if the user is given privilege level 5 access, that means users got level 0 to level 5 access. So don't get in to enable mode and check again.

with only priv level 5 config like above, user bradley will only be able to issue show commands and ping..(if he don't get in enable mode)..Pl. visit following url for more detailed explanation

http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/secur_c/scprt5/scdpass.htm

0 Helpful
Customers Also Viewed These Support Documents