Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

aaa authorization??

I'm having trouble figuring out how to limit the commands a user can execute on a NAS (3660 router) using the local database. I have aaa authentication set up. I use the command username xxxx privilege 1 for one of my user, but it doesn't seem to restrict them from anything.

Any help would be greatly appreciated.

3 REPLIES
Cisco Employee

Re: aaa authorization??

You need to define the commands that you want to assign under different privilege levels. Here is the link for sample config on How to Assign Privilege Levels with TACACS+ and RADIUS

http://www.cisco.com/warp/public/480/PRIV.html

For local config of privilege levels, pl. visit config example at following location

http://www.cisco.com/warp/public/471/84.html\

New Member

Re: aaa authorization??

I'm not using a TACACS+ or RADIUS server yet, (budget restrictions). I'm trying to set up authorization on the local database. This is what I did:

aaa new-model

aaa authentication login default local enable

aaa authorization exec default local

username bradley privilege 5 password 7 04035D505F

privilege exec level 5 show run

privilege exec level 5 show interfaces

privilege exec level 5 show ip interface brief

privilege exec level 5 ping

to test this I have a sub interface. I log on as this person, get into Int confiuration mode and successfully shut the interface down. I only want him to be able to execute the command listed above. Why doesn't it work?

Thanks for you input.

Cisco Employee

Re: aaa authorization??

You may have entered in "enable" mode to use "conf t" and change the interface config. Enable mode is privilege 15 command which let you do everything with the router. Also if the user is given privilege level 5 access, that means users got level 0 to level 5 access. So don't get in to enable mode and check again.

with only priv level 5 config like above, user bradley will only be able to issue show commands and ping..(if he don't get in enable mode)..Pl. visit following url for more detailed explanation

http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/secur_c/scprt5/scdpass.htm

100
Views
0
Helpful
3
Replies