Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

How to create privilege AAA for username

I do not have any ACS server but would like to create 3 usernames for access to certain list of IOS commands in CISCO IOS ver 12.0 using AAA-model. I tried using CISCO search engine but without much success. Appreciate any available tips to help me to configure 3 different users with different privilege in the router.

username xxxxx password xxxx privilege 5

In addition, is there any means in the IOS to facilitate changing of password upon logging into the router ?

Thanks/Francis

3 REPLIES
Cisco Employee

Re: How to create privilege AAA for username

The following URL includes the information you need regarding the privilege levels:

http://www.cisco.com/en/US/customer/tech/tk648/tk367/technologies_tech_note09186a008009465c.shtml

hope this helps,

-Nairi

New Member

Re: How to create privilege AAA for username

Here is an example of using 3 separate levels, MAKE sure you create the usernames first. I like to disable AAA on the console port also, since this is an element of physical security in most cases. If someone has physical access, they can still do a password recovery but this depends on your security requirements.

You must first log out, and then log back into the router following the inclusion of the aaa authorization commands 15 local if-authenticated command.

Syntax may vary somewhat on the AAA commands depending on your version.

username rtr_low privilege 1 password xxxxxxx

username rtr_med privilege 7 password xxxxxxx

username rtr_super privilege 15 password xxxxxx

aaa new-model

aaa authentication login default local enable

aaa authentication login NO_AUTHEN none

aaa authorization exec default local if-authenticated

aaa authorization exec NO_AUTHOR none

aaa authorization commands 15 NO_AUTHOR none

aaa authorization commands 1 local if-authenticated

aaa authorization commands 5 local if-authenticated

aaa authorization commands 15 local if-authenticated

line con 0

authorization commands 15 NO_AUTHOR

authorization exec NO_AUTHOR

login authentication NO_AUTHEN

Now you have created 3 sets of command authorization for all users. If you notice, priv 15 users will be taken into priv level 15 automatically without having to enable. This is part of EXEC authorization.

Privilege level 1 and 15 commands are already configured in IOS. You will have to set the level of commands for privilege 5 yourself with this command:

privilege-exec level 5

So to change the level of "sh run" from 15 to 5:

privilege-exec level 5 show running config

Use this to custom configure any of your other commands depending on your requirements.

Hope this helps...

New Member

Re: How to create privilege AAA for username

Thanks for the good tips & it works great..Again, many thanks../Francis

99
Views
8
Helpful
3
Replies
CreatePlease to create content