Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
516
Views
8
Helpful
4
Replies

local authorization

Antonio_1_2
Level 1
Level 1

‎09-22-2006 07:34 AM - edited ‎03-10-2019 02:45 PM

Hi,

Is it possible to make authorization using local database (not tacacs or radius)?

I have username admin that has to have access to configuration on router. I also have usename and passwords for IPsec users, but they shouldn't have access to configuration. But both (if they know enable secret) can enter privilege level.

Here is the config output,:

aaa new-model

!

!

aaa authentication login USAUTH local

aaa authorization console

aaa authorization exec USAUTH local

aaa authorization commands 0 USAUTH local

aaa authorization commands 15 USAUTH local

!

username admin privilege 15 password 7 044D0E0D06

username user1 privilege 0 password 7 121013161C

username user2 privilege 0 password 7 121B0A051D

!

line con 0

authorization commands 0 USAUTH

authorization commands 15 USAUTH

authorization exec USAUTH

login authentication USAUTH

Labels:
0 Helpful
4 Replies 4

ethiel
Level 3
Level 3

‎09-23-2006 06:08 PM

Your config looks appropriate to accomplish what you are trying to. I use this (usually as backup for TACACS), and it works great. Have you tried your config and had issues? The only difference from my working configs is I do not have aaa authoriz commands 0 and 15 in my config.

One side note, if it's a recent IOS I suggest using secret instead of password for your local users. That will prevent the password from being reversed if someone gets your config. For example:

username admin priv 15 secret mypassword

Hope this helps.

Antonio_1_2
Level 1
Level 1
In response to ethiel

‎09-24-2006 11:32 PM

Hi,

Yes I tried that config and it doesn't work. It works with tacacs, but with local authentication/authorization all users regardless of privilege level, can enter privilege mod (enable) if they now appropriate enable secret.

Is there a way that I can acomplish this with local authorization: when user1 tries to enter enable mod, he will be rejected because whe has prevelege level 0.

Thanks,

Vedran

0 Helpful

kidli
Level 1
Level 1
In response to Antonio_1_2

‎09-24-2006 11:46 PM

Hi,

hope I clear understand your need. User logging in different privilege level then 15 should use such way of enable command:

enable [privilege-level] [view [view-name]]

So for priv.level 0 use command "enable 0"

Hope it will help you.

Michal

kidli
Level 1
Level 1
In response to Antonio_1_2

‎09-25-2006 12:11 AM

Hi,

I forgot to announce that you should also define permitted commands set for appropriate privilege level using commands privilege or privilege level. Link to reference guide is provided below:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124tcr/tsec_r/sec_p1ht.htm#wp1215217

Nice day.

Michal

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents