07-04-2003 11:10 AM - edited 03-10-2019 07:23 AM
I work in a facility that has some strict access control requirements. I am looking for a way to log into a Cisco router that requires two usernames and passwords to access the privilege level. Does anyone know of any way to do this? I can't seem to find anything that could do this.
07-04-2003 11:30 AM
Hi James,
Here's a sample config that implements the AAA authorization locally on the router;
Create the local user database as follows:
username superuser privilege 15 password super aaa new-model
aaa authentication login default local
aaa authorization exec default local
username supertwo privilege 15 password supertwo
If you are implementing a (AAA) Radius or TACACS+ server, you will change the config to the below and have the users defined on the AAA server
aaa new-model
aaa authentication login default group tacacs local
aaa authorization exec default group tacacs local
replace tacacs with radius in the above commands if using tacacs.
Hope this helps a bit.
Thanks,
yatin
07-04-2003 11:53 AM
Hi Yatin,
Thanks for you reply. I'm not sure it's exactly what I'm looking for. Perhaps I should give an example to clarify:
-A user connects to the router or switch, by vty or console.
-The user enters his username and password (i.e. 'user1' and 'pass1')
-At this point the user can do regular commands that are allowed for the exec level, but not privileged level commands.
-When the user wants to switch to privileged exec mode, he should not be able to do this himself. He should require another user login as well (i.e. 'user2' and 'pass2'). Then privileged level access is allowed.
-The reverse is also true. If user2 logs in, he does not have privileged level access and requires user1 to also log in.
The above situation requires that two people must agree before privileged level is reached. It is like requiring two people to agree before launching a nuclear missile, etc. As I mentioned, our access control requirements are very strict.
James
07-04-2003 01:11 PM
Hi James,
Ok,here's how you can setup privilege levels for different users,
aaa new-model
aaa authentication login default [group] local
aaa authorization exec default [group] local
Make sure to create the local user database as follows:
username abc privilege 0 password abc
username xyz privilege 1 password xyz
username special privilege 5 password special
username superuser privilege 15 password super
With the above setup, user abc can execute only disable, enable, exit, help, and logout commands.
User xyz can execute all the level 0 and level 1 commands.
User superuser can execute all the commands on the router.
On the router these are the 3 level of default commands:
-privilege level 0 includes the disable, enable, exit, help, and logout commands
- privilege level 1 normal level on Telnet; includes all user-level commands at the router> prompt
- privilege level 15 includes all enable-level commands at the router#
prompt
Now based on your requirement, you can create a priv level bewteen 2-14 and assign any priv level 15 commands (level 0 and 1 would be inherited by default). Here is an example:
With this, user six is only able to execute all the level 0 & 1 commands. If the user need to execute "config t" on the router, he has to add the following line to add this level 15 commans to level 6.
privilege exec level 5 configure terminal
privilege exec level 5 gatekeeper
privilege exec level 5 write memory
thanks,
yatin
07-04-2003 01:26 PM
James,
As for the last part, there is no feature like the 2-login authorization. Will let you know' if I find it otherwise.
Thanks,
yatin
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: