cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1809
Views
0
Helpful
4
Replies

Two-man control

james.smith
Level 1
Level 1

I work in a facility that has some strict access control requirements. I am looking for a way to log into a Cisco router that requires two usernames and passwords to access the privilege level. Does anyone know of any way to do this? I can't seem to find anything that could do this.

4 Replies 4

ywadhavk
Cisco Employee
Cisco Employee

Hi James,

Here's a sample config that implements the AAA authorization locally on the router;

Create the local user database as follows:

username superuser privilege 15 password super aaa new-model

aaa authentication login default local

aaa authorization exec default local

username supertwo privilege 15 password supertwo

If you are implementing a (AAA) Radius or TACACS+ server, you will change the config to the below and have the users defined on the AAA server

aaa new-model

aaa authentication login default group tacacs local

aaa authorization exec default group tacacs local

replace tacacs with radius in the above commands if using tacacs.

Hope this helps a bit.

Thanks,

yatin

Hi Yatin,

Thanks for you reply. I'm not sure it's exactly what I'm looking for. Perhaps I should give an example to clarify:

-A user connects to the router or switch, by vty or console.

-The user enters his username and password (i.e. 'user1' and 'pass1')

-At this point the user can do regular commands that are allowed for the exec level, but not privileged level commands.

-When the user wants to switch to privileged exec mode, he should not be able to do this himself. He should require another user login as well (i.e. 'user2' and 'pass2'). Then privileged level access is allowed.

-The reverse is also true. If user2 logs in, he does not have privileged level access and requires user1 to also log in.

The above situation requires that two people must agree before privileged level is reached. It is like requiring two people to agree before launching a nuclear missile, etc. As I mentioned, our access control requirements are very strict.

James

Hi James,

Ok,here's how you can setup privilege levels for different users,

aaa new-model

aaa authentication login default [group] local

aaa authorization exec default [group] local

Make sure to create the local user database as follows:

username abc privilege 0 password abc

username xyz privilege 1 password xyz

username special privilege 5 password special

username superuser privilege 15 password super

With the above setup, user abc can execute only disable, enable, exit, help, and logout commands.

User xyz can execute all the level 0 and level 1 commands.

User superuser can execute all the commands on the router.

On the router these are the 3 level of default commands:

-privilege level 0 — includes the disable, enable, exit, help, and logout commands

- privilege level 1 — normal level on Telnet; includes all user-level commands at the router> prompt

- privilege level 15 — includes all enable-level commands at the router#

prompt

Now based on your requirement, you can create a priv level bewteen 2-14 and assign any priv level 15 commands (level 0 and 1 would be inherited by default). Here is an example:

With this, user six is only able to execute all the level 0 & 1 commands. If the user need to execute "config t" on the router, he has to add the following line to add this level 15 commans to level 6.

privilege exec level 5 configure terminal

privilege exec level 5 gatekeeper

privilege exec level 5 write memory

thanks,

yatin

James,

As for the last part, there is no feature like the 2-login authorization. Will let you know' if I find it otherwise.

Thanks,

yatin

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: