AAA Local with Privilege Levels

Similar Messages

• Username with privilege level 15 bypass enable

  Hi experts,
  I guess I never really understand the authentication process on Cisco routers and devices lol. Anyway I want users with privilege level 15 to be put in the enable mode right away after login without having to type in "enable" command and enable password. Users with other privilege levels will still be put in the EXEC mode.
  AAA has to be enabled because I'm using it for 802.1x as well.
  The privilege level eventually will be assigned by Radius server but right now the user is created locally on the switch. Right now I have:
  aaa new-model
  username admin privilege 15 secret 5 $1$2bdl$VIp53G4/zpo4f9aHh.t5v0
  username cisco secret 5 $1$NGdD$ehTUzwappJFMxgA7tM/YW.
  line vty 0 5
  access-class 100 in
  exec-timeout 30 0
  logging synchronous
  transport input ssh
  And it's not working lol. No matter I log in with "admin" or "cisco" I'm put in EXEC mode... What do I have to do to achieve this?
  Thanks!

  Hi,
  The with default keyword authorization will get applied on all the lines i.e. CONSOLE, VTY, AUX.
  In case you want it for users who are trying to login to via ssh or telnet use the following:
  EXEC AUTHORIZATION
  Router
  router(config)#aaa authorization exec TEL GRoup radius local
  router(config)#line vty 0 15
  router(config-line)#authorization exec TEL
  ACS
  Interface configuration
  Check  user & group for cisco av-pair.
  User setup à cisco ios/pix 6.x radius attributes àcisco av-pair [ shell:priv-lvl=15]
  OR
  Group setup à ios/pix 6.x radius attributes à shell:priv-lvl=15
  In case of radius if exec authorization is enabled  and if have not specified any privilege level in the ACS server. Then user will fall under the privilege level 1 and if enable authentication is enabled  or enable password is defined  on the router then we can go to enable mode by typing en or en
  Regards,
  Anisha
  P.S.: please mark this thread as resolved if you think your query is answered.

• Not able to login with privilege levels

  Hi,
     i have created privilege levels in cisco switch especially level 7 if i login with that username and password ,after typing privilege mode password it is going to level 15.... what is the problem ........
  commnads i configured is :
  # username cisco level 7 password cisco
  #enable secret cisco
  ............please help me where i have gone wrong

  Hi, What model/IOS version that you use?
  Rating useful replies is more useful than saying "Thank you"

• Create users radius with privilege levels

  hello
  i have a question.. i want to build a test network with some switches and routers
  but i want to be able to control the users..
  and with control i mean, don't let them to be able to delete the flash: or to delete some nat translations.
  is there a way to do this? and i going to use of a windows server 2008 R2 with radius
  thanks allot

  Hi,
  This link answers your question.
  http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a00800949d5.shtml
  aaa authori command is not reqd.
  Regards,
  ~JG
  Do rate helpful posts

• ACS with RSA for privilege level 'enable' authentication

  Has anyone experienced problems with privilege level "Enable" password authentication via ACS using RSA two factor authentication? We have recently deployed ACS and use RSA two factor authentication for the telnet connection without any problems. When configuring the networking device and ACS to use RSA for the privelledge level authentication "enable" this fails. We get prompted to enter the token code and the RSA server indicates that authentication is succesful however the network device (ASA or switch) seems to reject it.
  Are there any tricks to this?
  Thanks in advance!

  David
  Like Collin the first thing that I think of is that you can not use the same token code to authenticate enable mode that was used to authenticate user mode. Beyond that I am not aware of things that should prevent this working. Are you sure that the ACS authentication server is configured to allow that user access to privilege mode?
  Perhaps it would be helpful if you would post the config (especially all the aaa related parts) of a device that is having that problem. And it might help find the issue if you would run debug for authentication, try to login to enable mode, and post the output.
  HTH
  Rick

• Privilege level - ASDM

  Hi,
  I have defined on the RADIUS server a profile with privilege level 0 with the
  "shell:priv-lvl=0" command on the server. The problem is that when
  the user logs into the firewall it is always given privilege level 1 (if SSH)
  or 15 (if ASDM).
  The AAA configuration on the firewall is the following:
  aaa-server RADIUS protocol radius
  aaa-server RADIUS (outside) host x.x.x.x
  retry-interval 1
  key *
  authentication-port 8812
  accounting-port 8813
  aaa authentication http console RADIUS LOCAL
  aaa authentication ssh console RADIUS LOCAL
  aaa authentication enable console RADIUS LOCAL
  Can you tell me what I need to do to authenticate using RADIUS, but assigning
  the correct privilege levels?
  I have been refered to bug ID CSCsh17346, but although i've updated the image to 7.2.2.22 it still does not work.
  Thanks in advance.
  (in attachment is the output of the radius debug).

  Hi Paulo,
  What I think is, you are looking for something like this,
  Limiting User CLI and ASDM Access with Management Authorization:
  http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_80/conf_gd/sysadmin/mgaccess.htm#wp1070306
  Go through what setting with what protocol, will give you what level of access. This might help.
  And what you originally looking for is, might be related to this,
  Configuring Command Authorization
  http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_80/conf_gd/sysadmin/mgaccess.htm#wp1042034
  Go through complete heading, but to be specific interesting part is "Configuring Local Command Authorization"
  Above links worth a read.
  This might help.
  Regards,
  Prem

• Filtering in Privilege level !!

  Hi all. I am not using AAA. Just using privilege command to move commands between levels. now my question is simple. I want to assign level 2 to my user admin. And he can ONLY run sh interfaces. No other command ( this includes the default set of command coming with privilege level 2) shouldnt be allowed. The user can only run sh interfaces and thats it. Kindly tell me how to do it
  1) without AAA, using privilege commands
  2) with AAA using local authorization.
  Thanks in advance, kindly guide me

  This link should work for both.
  http://www.cisco.com/en/US/docs/ios/sec_user_services/configuration/guide/sec_cfg_sec_4cli_ps6441_TSD_Products_Configuration_Guide_Chapter.html#wp1184620
  Hope that helps.

• AAA Authorization with ACS Shell-Sets

  Hi all,
  I am using a cisco 871 router running Version 12.4(11)T advanced IP Services.
  I am having trouble getting AAA Authorization to work correctly with ACS.
  I am able to set the users up on ACS fine and assign them shell and priv level 7.
  I then setup a Shell Auth Set, and enter in the commands show and configure.
  When I log in as a user, I get an exec with a priv level of 7 no problems, but I never seem to be able
  to access global config mode by typing in conf (or configure) terminal or t.
  If I type con? the only command there is connect, configure is never an option...
  The only way I can get this to work is by entering the command:
  privilege exec level 7 configure terminal
  I thought the whole purpose of the ACS Shell Set was to provide this information to the Router?
  This is most frustrating
  The ACS Server is set up with a Shell Command Authorization Set named Level_7
  It is assigned to the relevant groups and I even have the "Unmatched Commands" option selected to "Permit"
  The "Permit Unmatched Args" is also selected.
  See an excerpt of my IOS config below:
  aaa new-model
  aaa group server tacacs+ ACS
  server 10.90.0.11
  aaa authentication login default group ACS local
  aaa authorization exec default group ACS
  aaa authorization commands 7 default group ACS local
  tacacs-server host 10.90.0.11 key cisco
  privilege exec level 7 configure terminal
  privilege exec level 7 configure
  privilege exec level 7 show running-config
  privilege exec level 7 show
  Hope you can help me with this one..
  P.s I have tried it with the privilege commands on the router and removed from the router and just keep getting the same results!?

  Hi,
  So here it is,
  You are actually using two different options and trying to couple then together. What I would suggest you is either use Shell command authorization set feature or play with privilege level. Not both mixed together.
  Above scenario might work, if you move commands to privilege level 6 and give user privilege level 7. It might not sure. Give it a try and share the result.
  This is what I suggest the commands back to normal level.
  Below provided are steps to configure shell command authorization:
  Follow the following steps over the router:
  !--- is the desired username
  !--- is the desired password
  !--- we create a local username and password
  !--- in case we are not able to get authenticated via
  !--- our tacacs+ server. To provide a back door.
  username password privilege 15
  !--- To apply aaa model over the router
  aaa new-model
  !--- Following command is to specify our ACS
  !--- server location, where is the
  !--- ip-address of the ACS server. And
  !--- is the key that should be same over the ACS and the router.
  tacacs-server host key
  !--- To get users authentication via ACS, when they try to log-in
  !--- If our router is unable to contact to ACS, then we will use
  !--- our local username & password that we created above. This
  !--- prevents us from locking out.
  aaa authentication login default group tacacs+ local
  aaa authorization exec default group tacacs+ local
  aaa authorization config-commands
  aaa authorization commands 0 default group tacacs+ local
  aaa authorization commands 1 default group tacacs+ local
  aaa authorization commands 15 default group tacacs+ local
  !--- Following commands are for accounting the user's activity,
  !--- when user is logged into the device.
  aaa accounting exec default start-stop group tacacs+
  aaa accounting system default start-stop group tacacs+
  aaa accounting commands 0 default start-stop group tacacs+
  aaa accounting commands 1 default start-stop group tacacs+
  aaa accounting commands 15 default start-stop group tacacs+
  Configuration on ACS
  [1] Goto 'Shared Profile Components' -> 'Shell Command Authorization Sets' -> 'Add'
  Provide any name to the set.
  provide the sufficent description (if required)
  (a) For Full Access administrative set.
  In Unmatched Commands, select 'Permit'
  (b) For Limited Access set.
  In Unmatched commands, select 'Deny'.
  And in the box above 'Add Command' box type in the main command, and in box below 'Permit unmatched Args'. Provide with the sub command allow.
  For example: If we want user to be only able to access the following commads:
  login
  logout
  exit
  enable
  disable
  show
  Then the configuration should be:
  ------------------------Permit unmatched Args--
  login permit
  logout permit
  exit permit
  enable permit
  disable permit
  configure permit terminal
  interface permit ethernet
  permit 0
  show permit running-config
  in above example, user will be allowed to run only above commands. If user tries to execute 'interface ethernet 1', user will get 'Command authorization failed'.
  [2] Press 'Submit'.
  [3] Goto the group on which we want to apply these command authorization set. Select 'Edit Settings'.
  (cont...)

• Unable to connect on WLSE with account level 15

  Hi,
  All user configured on WLSE are configured with privilege level 0.
  When I try to connect on WLSE via Telnet I just can do a ping, traceroute,debug or a show command.
  Via Http : Admin->User Admin->Manage User
  I can just set CLI Access to none or Level 0.
  Role of my user is set to "System admin"
  Is it possible to change Level privilege to 15 or to create a new user with level privilege 15 ?
  For your information version of WLSE is WLSE-2.11FCS.
  Thanks for your comment.

  Thanks for your reply rmushtaq,
  In fact, my problem is that the user admin don't have privilege level 15. He's configured with privilege level 0.
  And when I want to create a new user, I can't set privilege level 15.
  When I try to do a telnet with the user "admin" on WLSE I can't use all CLI commands. I just can use show, ping and traceroute.

• Aaa radius server control privilege level

  I've got radius authentication working on my switch, but I'm trying to allow two types of users login using Windows Active Directory. NetworkUsers who can view configuration and NetworkAdmins who can do anything. I would like for NetworkAdmins to when they login go directly into privilege level 15 but cant get that part to work. Here is my setup:
  Windows 2008 R2 Domain controller with NPS installed.
  Radius client: I have the IP of the switch along with the key. I have cisco selected under the vendor name in the advance tab
  Network Policies:
  NetworkAdmins which has the networkadmin group under conditions and under settings i have nothing listed under Standard and for Vendor Specific i have :
  Cisco-AV-Pair    Cisco    shell:priv-lvl=15
  My switch config:
  aaa new-model
  aaa group server radius MTFAAA
   server name dc-01
   server name dc-02
  aaa authentication login NetworkAdmins group MTFAAA local
  aaa authorization exec NetworkAdmins group MTFAAA local
  radius server dc-01
   address ipv4 10.0.1.10 auth-port 1645 acct-port 1646
   key 7 ******
  radius server dc-02
   address ipv4 10.0.1.11 auth-port 1645 acct-port 1646
   key 7 ******
  No matter what i do it doesnt default to privilege level 15 when i login. Any thoughts

  Have you specified the authorization exec group under line vty? I think it is authorization exec command. Something like that.

• PRIVILEGE LEVELS FOR ACS WITH AD DATABASE

  How do I configure two separate privilige levels for two groups. These groups exist in the AD database i.e. my ACS (Pri & Backup) are looking in AD for authentication.

  Hi ,
  If you are using TACACS ,
  Bring users/groups in at level needed
  1. Go to user or group setup in ACS
  2. Drop down to "TACACS+ Settings"
  3. Place a check in "Shell (Exec)"
  4. Place a check in "Privilege level" and enter " priv "(1 to 15) in the adjacent field
  If you are using RADIUS,
  aaa new-model
  aaa authentication login default group radius local
  aaa authorization exec default group radius local
  radius-server host X.X.X.X key XXXX
  Following is the configuration required in the Radius Server
  The AV pair in the ACS -->group setup--> IETF RADIUS Attributes
  [006] Service-Type = Login
  /* Following is for getting the user straight in privledge mode */ to set priv 15
  The AV pair in Cisco IOS/PIX RADIUS Attributes
  [009\001] cisco-av-pair = shell:priv-lvl=15
  For more information on above commands, please refer to the following link :-
  http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsec
  ur_c/fsaaa/index.htm
  Please try the above and let me know if this helps.
  Thanks

• AAA & Privilege Levels on Console Session

  While configuring users with different privilege levels and using AAA, we've found that the privilege level when logging in via console port will always be level 1, whereas with telnet we're able to log in directly into levels 0 and 2 thru 15. Has anyone experienced this or have an explanation as to why this happens?
  TIA.

  Console port authorization was not added as a feature until Bug ID CSCdi82030 was implemented. Console port authorization is off by default to lessen the likelihood of accidentally being locked out of the router. If a user has physical access to the router via the console, console port authorization is not extremely effective. However, for images in which Bug ID CSCdi82030 has been implemented, console port authorization can be turned on under line con 0 with the hidden command aaa authorization console in config mode.
  If you turn on debug aaa authorization and log into console you will see there is no AAA kicked in.
  R/Yusuf

• Network User with Local Admin Privileges?

  I have a small network (around 25 clients total) that was setup prior to my arrival. Each client has its own unique local admin (each machine was setup by the individual user) and it's become somewhat daunting to support them.
  All of the machines are connected (but not specifically bound) to an Open Directory and each is accessible via Remote Desktop, however I cannot push software updates, etc. without local admin privileges.
  I'd rather not create an account on each machine, nor do I want to completely lock down each computer (I'd like them to still have the flexibility to be admins so they can install apps, etc.)
  Is it possible to authenticate against OD and obtain local admin privileges?

  Yes.
  You can wipe all account information and then recreate a common initial admin account. This will make administration far easier as all machines will have the same admin username/password combination. Next, bind all of the systems to the domain and create domain accounts for all users on the server (likely already exist). Log in as the domain accounts and migrate permissions to domain ids. Finally, promote the user to the local admin group through System Preferences > Accounts on the workstation. You must enable the account as a mobile account in Workgroup Manager first. If you do not, the account will not cache to the workstation and you will be unable to add it to the admin group.
  Also, in a workgroup of 25, I would recommend rethinking the decision to grant local admin access to end users. This is asking for trouble as you will have no control over when updates are applied or even if they are. In theory (and probably in practice), you will have 25 completely different machines configurations. This is far harder to manage and troubleshoot than 25 systems with different admin accounts.
  If you must provide some level of autonomy, while not trivial, you might want to consider modifying /etc/authorization and granting limited admin rights to the users.
  Hope this helps - congrats on the opportunity

• Enable aaa accounting commands for all privilege levels?

  Here is the command's syntax:
  aaa accounting {auth-proxy | system | network | exec | connection | commands level} {default | list-name} {start-stop | stop-only | none} [broadcast] group groupname
  The "command" accounting type must include the privilege level of the commands you are logging. How do I log ALL commands?
  Take the following example:
  aaa accounting commands 15 default start-stop group mygroup
  If I issue this command will that mean commands the user executes that have a privilege level lower than 15 will not be logged? Or only commands that require exactly privilege level 15 will be logged?
  How can I log all commands regardless of privilege level?

  Hi Red,
  If you customize the command privilege level using the privilege command, you can limit which commands the appliance accounts for by specifying a minimum privilege level. The security appliance does not account for commands that are below the minimum privilege level.
  The default privilege level is 0. So if you don't specify any privilege level then all should be accounted for.
  You can find the command detail at. This is for ASA though.
  http://www.cisco.com/c/en/us/td/docs/security/asa/asa80/command/reference/cmd_ref/a1.html#wp1535253
  Regards,
  Kanwal
  Note: Please mark answers if they are helpful.

• Tacacs AAA and privilege level 7

  I've setup a group on tacacs server called acsrestricted and mapped it to AD security group. I've set this group to privilege level 7 on tacacs server.
  I need this group to view the "show run" config on a router. Privilege level 7 allows the user to use some other show commands but not "show run". How can i configure this on tacacs?

  Michael
  I am not sure that I am understanding your post correctly. As I understand it you have created a group for some users who would operate at privilege level 7. I gather that this works and that users in this group do authenticate and are assigned to privilege level 7. You say that some show commands are assigned to them but not the show run command. This would seem to be simple to solve - you make sure that show with a parameter of run is assigned to them. But there is something not simple that makes this not work. Part of the Cisco implementation of privilege levels is that in show run a user can not view any parameter that they do not have permission to change.
  Perhaps it might work for your situation if you give those users access to show config. show config does not have the same restriction as show run.
  HTH
  Rick
  Sent from Cisco Technical Support iPad App