Cisco privilege levels

Similar Messages

• Cisco - Privilege level is always 15

  I'm using RADIUS for the AAA process.
  When I was running IOS 12.2 on routers everything was fine, but after upgrading to IOS Version 12.4(12) users gets always priv-lvl 15 regardless
  what I set in RADIUS profile for the user.
  I don't understand why router is processing CISCO-AV pair priv-lvl=y two times. And, why in the newest version the CISCO-AV pair priv-lvl=(value defined in RADIUS) came first?
  IOS 12.2
  Aug 19 15:09:17.926: AAA/AUTHOR/EXEC(0000059A): processing AV priv-lvl=15
  Aug 19 15:09:17.926: AAA/AUTHOR/EXEC(0000059A): processing AV priv-lvl=1
  Aug 19 15:09:17.926: AAA/AUTHOR/EXEC(0000059A): Authorization successful
  IOS 12.4(12)
  Aug 19 15:09:17.926: AAA/AUTHOR/EXEC(0000059A): processing AV priv-lvl=1
  Aug 19 15:09:17.926: AAA/AUTHOR/EXEC(0000059A): processing AV priv-lvl=15
  Aug 19 15:09:17.926: AAA/AUTHOR/EXEC(0000059A): processing AV service-type=6
  Aug 19 15:09:17.926: AAA/AUTHOR/EXEC(0000059A): Authorization successful
  Thanks,
  VA

  debugging:
  - radius
  - aaa authentication
  - aaa authorization
  Aug 30 17:03:54.986: AAA/BIND(000005CE): Bind i/f 
  Aug 30 17:03:54.986: AAA/AUTHEN/LOGIN (000005CE): Pick method list 'default'
  Aug 30 17:03:54.986: RADIUS/ENCODE(000005CE): ask "Username: "
  Aug 30 17:03:54.986: RADIUS/ENCODE(000005CE): send packet; GET_USER
  Aug 30 17:03:57.838: RADIUS/ENCODE(000005CE): ask "Password: "
  Aug 30 17:03:57.842: RADIUS/ENCODE(000005CE): send packet; GET_PASSWORD
  Aug 30 17:04:01.635: RADIUS/ENCODE(000005CE):Orig. component type = EXEC
  Aug 30 17:04:01.635: RADIUS:  AAA Unsupported Attr: interface         [157] 6  
  Aug 30 17:04:01.635: RADIUS:   74 74 79 34                                      [tty4]
  Aug 30 17:04:01.635: RADIUS/ENCODE(000005CE): dropping service type, "radius-server attribute 6 on-for-login-auth" is off
  Aug 30 17:04:01.635: RADIUS(000005CE): Config NAS IP: xxx.xxx.xxx.xxx
  Aug 30 17:04:01.635: RADIUS/ENCODE(000005CE): acct_session_id: 1486
  Aug 30 17:04:01.635: RADIUS(000005CE): sending
  Aug 30 17:04:01.635: RADIUS(000005CE): Send Access-Request to xxx.xxx.xxx.xxx:1812 id 1645/241, len 87
  Aug 30 17:04:01.635: RADIUS:  authenticator E7 CE FD C8 3D 37 01 CC - 2E A4 D5 BD 8E 27 F4 43
  Aug 30 17:04:01.635: RADIUS:  User-Name           [1]   8   "test"
  Aug 30 17:04:01.635: RADIUS:  User-Password       [2]   18  *
  Aug 30 17:04:01.635: RADIUS:  NAS-Port            [5]   6   451                      
  Aug 30 17:04:01.635: RADIUS:  NAS-Port-Id         [87]  8   "tty451"
  Aug 30 17:04:01.635: RADIUS:  NAS-Port-Type       [61]  6   Virtual                   [5]
  Aug 30 17:04:01.635: RADIUS:  Calling-Station-Id  [31]  15  "xxx.xxx.xxx.xxx"
  Aug 30 17:04:01.635: RADIUS:  NAS-IP-Address      [4]   6   xxx.xxx.xxx.xxx           
  Aug 30 17:04:01.647: RADIUS: Received from id 1645/241 xxx.xxx.xxx.xxx:1812, Access-Accept, len 50
  Aug 30 17:04:01.647: RADIUS:  authenticator B1 55 52 0D EB 66 01 C2 - 98 E0 7E 17 93 36 0D D2
  Aug 30 17:04:01.647: RADIUS:  Service-Type        [6]   6   Administrative            [6]
  Aug 30 17:04:01.647: RADIUS:  Vendor, Cisco       [26]  24 
  Aug 30 17:04:01.647: RADIUS:   Cisco AVpair       [1]   18  "shell:priv-lvl=1"
  Aug 30 17:04:01.647: RADIUS(000005CE): Received from id 1645/241
  Aug 30 17:04:01.647: AAA/AUTHOR/EXEC(000005CE): processing AV priv-lvl=1
  Aug 30 17:04:01.647: AAA/AUTHOR/EXEC(000005CE): processing AV priv-lvl=15
  Aug 30 17:04:01.647: AAA/AUTHOR/EXEC(000005CE): processing AV service-type=6
  Aug 30 17:04:01.647: AAA/AUTHOR/EXEC(000005CE): Authorization successful
  Aug 30 17:04:01.647: RADIUS/ENCODE(000005CE):Orig. component type = EXEC
  Aug 30 17:04:01.647: RADIUS(000005CE): Config NAS IP: xxx.xxx.xxx.xxx
  Aug 30 17:04:01.647: RADIUS(000005CE): sending
  Aug 30 17:04:01.647: RADIUS(000005CE): Send Accounting-Request to xxx.xxx.xxx.xxx:1813 id 1646/180, len 103
  Aug 30 17:04:01.647: RADIUS:  authenticator 68 53 1A 44 F0 5E 12 A5 - 99 6F 21 64 F3 F5 50 31
  Aug 30 17:04:01.647: RADIUS:  Acct-Session-Id     [44]  10  "000005CE"
  Aug 30 17:04:01.647: RADIUS:  User-Name           [1]   8   "test"
  Aug 30 17:04:01.647: RADIUS:  Acct-Authentic      [45]  6   RADIUS                    [1]
  Aug 30 17:04:01.647: RADIUS:  Acct-Status-Type    [40]  6   Start                     [1]
  Aug 30 17:04:01.647: RADIUS:  NAS-Port            [5]   6   451                      
  Aug 30 17:04:01.647: RADIUS:  NAS-Port-Id         [87]  8   "tty451"
  Aug 30 17:04:01.647: RADIUS:  NAS-Port-Type       [61]  6   Virtual                   [5]
  Aug 30 17:04:01.647: RADIUS:  Calling-Station-Id  [31]  15  "xxx.xxx.xxx.xxx"
  Aug 30 17:04:01.647: RADIUS:  Service-Type        [6]   6   NAS Prompt                [7]
  Aug 30 17:04:01.647: RADIUS:  NAS-IP-Address      [4]   6   xxx.xxx.xxx.xxx           
  Aug 30 17:04:01.647: RADIUS:  Acct-Delay-Time     [41]  6   0                        
  Aug 30 17:04:01.655: RADIUS: Received from id 1646/180 xxx.xxx.xxx.xxx:1813, Accounting-response, len 20
  Aug 30 17:04:01.655: RADIUS:  authenticator FE E4 75 AD 9E 1E 35 A9 - 1F 1D 5F B7 AD 4D AC EA

• Aaa radius server control privilege level

  I've got radius authentication working on my switch, but I'm trying to allow two types of users login using Windows Active Directory. NetworkUsers who can view configuration and NetworkAdmins who can do anything. I would like for NetworkAdmins to when they login go directly into privilege level 15 but cant get that part to work. Here is my setup:
  Windows 2008 R2 Domain controller with NPS installed.
  Radius client: I have the IP of the switch along with the key. I have cisco selected under the vendor name in the advance tab
  Network Policies:
  NetworkAdmins which has the networkadmin group under conditions and under settings i have nothing listed under Standard and for Vendor Specific i have :
  Cisco-AV-Pair    Cisco    shell:priv-lvl=15
  My switch config:
  aaa new-model
  aaa group server radius MTFAAA
   server name dc-01
   server name dc-02
  aaa authentication login NetworkAdmins group MTFAAA local
  aaa authorization exec NetworkAdmins group MTFAAA local
  radius server dc-01
   address ipv4 10.0.1.10 auth-port 1645 acct-port 1646
   key 7 ******
  radius server dc-02
   address ipv4 10.0.1.11 auth-port 1645 acct-port 1646
   key 7 ******
  No matter what i do it doesnt default to privilege level 15 when i login. Any thoughts

  Have you specified the authorization exec group under line vty? I think it is authorization exec command. Something like that.

• Privilege level 15 to ASA cli administrator via Radius

  Hello Friends!
  Is this supported yet on the ASA?  I want to be able to have radius assign privilege levels to firewall cli administrators.
  Upon login, I'd like them to be immediately be placed into "enabled mode" (without needing to know the local enable password).  I believe we can set the maximum privilege level the user can attain.  But for now, I simply want to have everyone go into priv level 15 without having to know the shared enable secret password.  Switching to tacacs isn't an option.
  I remember finding out a while back that this was not possible.  Please tell me this is now possible.  It's almost 2013.

  Thanks Marcin!
  Very interesting.  Now that you mention it, I do remember seeing someone use the login command after they had already logged in.  That's what they must have been doing.  I wonder what the thought process was in developing it this way.
  I suppose a few different ways around this are (since not everyone will know of this odd behavior and I'm not the only one logging in) to configure radius to authenticate users and then either:
  1.  Configure a MOTD banner that says "ATTENTION:  Type the command 'login', followed by your regular credentials AGAIN to be put into enable mode."
  or
  2.  Configure a MOTD banner that says "ATTENTION:  To gain enable mode privileges, type the command 'enable', followed by the password cisco.".
  Horrible idea?  Thoughts?
  // example of the second 'login' command working:
  ssh [email protected]
  [email protected]'s password:
  Warning!
  Warning!
  Type help or '?' for a list of available commands.
  fw1> ?
    clear       Reset functions
    enable      Turn on privileged commands
    exit        Exit from the EXEC
    help        Interactive help for commands
    login       Log in as a particular user
    logout      Exit from the EXEC
    no          Negate a command or set its defaults
    ping        Send echo messages
    quit        Exit from the EXEC
    show        Show running system information
    traceroute  Trace route to destination
  fw1> login
  Username: admin
  Password: *********
  fw1#
  fw1# sh run username
  username admin password encrypted privilege 15

• Change in privilege level for the command show logging

  I have recently discovered a change in behavior in IOS. The command show logging has traditionally been available at user level. Now it has become a privilege level 15 command.
  I thought that this was strange and opened a case with Cisco TAC about it. I was told that this is a new "feature" that was implemented for bugid CSCsl61281. Unfortunately this bugid is viewable by Cisco internally but not viewable by the public.
  The TAC engineer tells me that this change is integrated into these releases:
  This was integrated into the following releases:
  12.4(24.05.01)PIX11
  12.4(21.14.09)PIC01
  12.4(19.03)T
  12.2(52.23)SIN
  12.2(33)SXI01
  12.2(32.08.11)SX229
  12.2(32.08.11)SR174
  I do not think that this is a good change. If you do not think that this is a good change I suggest that you contact your Cisco support team and express your opinion about this change.
  Otherwise as you go to new versions of IOS be aware of the potential impact on your network monitoring processes and procedures that show logging will require level 15 privilege access.
  HTH
  Rick

  Hi Rick,
  Can you suggest me references to know more about privilege level commands?
  How to enable different commands for different levels of privileges?
  Thanks.
  -Sudhish

• Default Privilege Level for ASA users authenticated by Radius or TACACS when using ASDM

  Hello,
  I'm trying to figure out what the default privilege level is for users that are authenticated to the ASA via a remote authentication server when using the ASDM.
  the command "aaa authentication http console TACACS+ LOCAL" is used in the ASA config.
  The remote server is NOT setting any privilege levels for users.  There are also no aaa authorization commands present in the config.
  So what privilege level do the users receive when they login with the ASDM?  I'm being told that the users receive admin access which includes config write, reboot, and debug.  But I cannot find any documentation stating hte default level.
  Please advise.  And providing links to cisco documentation would be great too.
  Thanks,
  Brendan

  Hi Berendan,
  Hope the below exerpt from document clarifies your query. also i have provided the link to refer.
  About Authorization
  Authorization controls access per user after users authenticate. You can configure the security appliance to authorize the following items:
  •Management commands
  •Network access
  •VPN access
  Authorization controls the services and commands available to each authenticated user. Were you not to enable authorization, authentication alone would provide the same access to services for all authenticated users.
  If you need the control that authorization provides, you can configure a broad authentication rule, and then have a detailed authorization configuration. For example, you authenticate inside users who attempt to access any server on the outside network and then limit the outside servers that a particular user can access using authorization.
  The security appliance caches the first 16 authorization requests per user, so if the user accesses the same services during the current authentication session, the security appliance does not resend the request to the authorization server.
  http://www.cisco.com/c/en/us/td/docs/security/asa/asa80/asdm60/user/guide/usrguide/aaasetup.html
  Regards
  Karthik

• RSA SecurID authentication and privilege level

  Hello,
  I'm new working with Cisco ACS, learning by seat of pants; most of the documentation on Cisco's website is fairly cryptic and does not use many pictures. Therefore,I would appreciate some help setting up privileges. We have ACS v5.2 which I have set up using RSA SecurID and appears to be working correctly. However, I'm having problems with the privilege level when I access a router it lands me in user mode. I'm trying to set up a administrator group for the routers and switches to have each member dropped in privilege level 15, exec mode but I'm having difficulty doing this.
  Unfortunately, I'm unable to find any real useful information in reference to setting up RSA SecurID. It seems more of the information is geared around radius servers. Any help would be greatly appreciated. Thank you much!

  Hello.
  Remember AAA means authentication, authorization and accounting. In your case you authenticate with RSA , but you authorize with ACS policies. For TACACS+ and traditional IOS from routers and switches you can use a ACS policy element called "shell profile" which you can use to specify some attributes like privilege level. Then you can use the "shell profile" to create an authorization policy.
  I'm attaching some screenshots. In this example I'm using AD instead of RSA because I don't have a RSA available. Please rate if it helps.

• Create a privilege level that only allows access to show commands

  Hi,
  I would like to create a privilege level that would only give access to the show commands for certain users. What would be the best way to do this?
  Would I have to use the privilege mode level level command for every available show command or is there a more efficient way of doing this?
  In addition, could we manage such a privilege level from a Radius Server.
  Thanks for your help
  Stéphane

  Well, I think the best way to achive this is to use TACACS with command authorization feature.
  Configuration on the tacacs server ( only for show commands, read only access)
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml#scenario2
  These commands are required on an IOS router or switch in order to implement command authorization through an ACS server:
      aaa new-model
      aaa authorization config-commands
      aaa authorization commands 0 default  group tacacs+ local
      aaa authorization commands 1 default  group tacacs+ local
      aaa authorization commands 15 default group tacacs+ local
       tacacs-server host 10.1.1.1
       tacacs-server key cisco123
  These commands are required on ASA/PIX/FWSM in order to implement command authorization through an ACS server:
      aaa-server authserver protocol tacacs+
      aaa-server authserver host 10.1.1.1
      aaa authorization command authserver
  However, if you strictly want to use radius server then please try the below listed attribute for a single user or group.
  Service-Type = NAS Prompt
  http://www.ietf.org/assignments/radius-types/radius-types.xml#radius-types-4
  This might not work for ASDM.
  HTH
  Regards,
  Jatin
  Do rate helpful posts-

• Username with privilege level 15 bypass enable

  Hi experts,
  I guess I never really understand the authentication process on Cisco routers and devices lol. Anyway I want users with privilege level 15 to be put in the enable mode right away after login without having to type in "enable" command and enable password. Users with other privilege levels will still be put in the EXEC mode.
  AAA has to be enabled because I'm using it for 802.1x as well.
  The privilege level eventually will be assigned by Radius server but right now the user is created locally on the switch. Right now I have:
  aaa new-model
  username admin privilege 15 secret 5 $1$2bdl$VIp53G4/zpo4f9aHh.t5v0
  username cisco secret 5 $1$NGdD$ehTUzwappJFMxgA7tM/YW.
  line vty 0 5
  access-class 100 in
  exec-timeout 30 0
  logging synchronous
  transport input ssh
  And it's not working lol. No matter I log in with "admin" or "cisco" I'm put in EXEC mode... What do I have to do to achieve this?
  Thanks!

  Hi,
  The with default keyword authorization will get applied on all the lines i.e. CONSOLE, VTY, AUX.
  In case you want it for users who are trying to login to via ssh or telnet use the following:
  EXEC AUTHORIZATION
  Router
  router(config)#aaa authorization exec TEL GRoup radius local
  router(config)#line vty 0 15
  router(config-line)#authorization exec TEL
  ACS
  Interface configuration
  Check  user & group for cisco av-pair.
  User setup à cisco ios/pix 6.x radius attributes àcisco av-pair [ shell:priv-lvl=15]
  OR
  Group setup à ios/pix 6.x radius attributes à shell:priv-lvl=15
  In case of radius if exec authorization is enabled  and if have not specified any privilege level in the ACS server. Then user will fall under the privilege level 1 and if enable authentication is enabled  or enable password is defined  on the router then we can go to enable mode by typing en or en
  Regards,
  Anisha
  P.S.: please mark this thread as resolved if you think your query is answered.

• Enable aaa accounting commands for all privilege levels?

  Here is the command's syntax:
  aaa accounting {auth-proxy | system | network | exec | connection | commands level} {default | list-name} {start-stop | stop-only | none} [broadcast] group groupname
  The "command" accounting type must include the privilege level of the commands you are logging. How do I log ALL commands?
  Take the following example:
  aaa accounting commands 15 default start-stop group mygroup
  If I issue this command will that mean commands the user executes that have a privilege level lower than 15 will not be logged? Or only commands that require exactly privilege level 15 will be logged?
  How can I log all commands regardless of privilege level?

  Hi Red,
  If you customize the command privilege level using the privilege command, you can limit which commands the appliance accounts for by specifying a minimum privilege level. The security appliance does not account for commands that are below the minimum privilege level.
  The default privilege level is 0. So if you don't specify any privilege level then all should be accounted for.
  You can find the command detail at. This is for ASA though.
  http://www.cisco.com/c/en/us/td/docs/security/asa/asa80/command/reference/cmd_ref/a1.html#wp1535253
  Regards,
  Kanwal
  Note: Please mark answers if they are helpful.

• Ise and switch authentication and privilege level

  Hi Guys,
  I'm working on an eval on vmware. I have got everything working for wlan authentication and I’m working on shell authentication for switches. On the ACS you have the possibility to give the user privilege level on the switch. You can do this with shell profiles in ACS.
  Is there a way to get this done in ISE? I was thinking to make a result policy elements but I can't find a shell profile or privilege attributes like in ACS.
  For the record, switch authentication is working with Active Directory. I only need to know how to give the right return attribute.
  I appreciate any help!
  Sander

  @Sander,
  You were in the right area. 
  Policy->Results->Authorization->Authorization Profiles.
  Create AuthZ profile for Access-Accept and Under the Advanced Attributes Settings you can use:
  Cisco:cisco-av-pair = shell:priv-lvl=15
  or whatever privilege level you want to assign.
  On your AuthZ rule, match the conditions and apply the created profile.

• Assigning privilege level using Radius

  I'm trying to assigned a privilege level on a Cisco router via Radius. I'm using the Cisco Secure ACS (Windows 2K).
  I have set the privilege level to 15. But when I telnet to the router, I always get the router> prompt instead of the router# prompt.
  How can I configured the Radius/router so that when I get successfully authenticated, the router# prompt is shown.
  I've configured the router as below:
  aaa authentication login vtymethod group radius enable
  aaa authorization exec vtymethod group radius local
  radius-server host 202.x.x.195 auth-port 1645 acct-port 1646 key cisco
  line vty 0 4
  authorization exec vtymethod
  login authentication vtymethod
  On the Radius, I've configured as below:
  In the group settings for IETF Radius attributes, the Service-Type is set to Nas Prompt.
  Also in the group settings, I've checked the Cisco-av-pair with the following configured: shell:priv-lvl=15.
  Is there something I'm missing.
  Appreciate the help.
  Thanks.
  sweeann

  Hi
  Im curious... what is the perceived benefit of using RADIUS instead of TACACS+ ?
  Given that ACS supports both and that T+ is a superior protocol for device admin.
  I once heard someone mutter that T+ was proprietry... but all they were doing was sending (effectively) T+ av-pairs via a Cisco RADIUS VSAs. Not significantly different one could argue!

• Tacacs AAA and privilege level 7

  I've setup a group on tacacs server called acsrestricted and mapped it to AD security group. I've set this group to privilege level 7 on tacacs server.
  I need this group to view the "show run" config on a router. Privilege level 7 allows the user to use some other show commands but not "show run". How can i configure this on tacacs?

  Michael
  I am not sure that I am understanding your post correctly. As I understand it you have created a group for some users who would operate at privilege level 7. I gather that this works and that users in this group do authenticate and are assigned to privilege level 7. You say that some show commands are assigned to them but not the show run command. This would seem to be simple to solve - you make sure that show with a parameter of run is assigned to them. But there is something not simple that makes this not work. Part of the Cisco implementation of privilege levels is that in show run a user can not view any parameter that they do not have permission to change.
  Perhaps it might work for your situation if you give those users access to show config. show config does not have the same restriction as show run.
  HTH
  Rick
  Sent from Cisco Technical Support iPad App

• Assigning Privilege Level Thru RADIUS

  I'm using Microsoft IAS as my RADIUS server. We have a number of Cisco 2800 routers running the latest IOS which are also acting as VPN servers for our remote user connecting using their laptops via IPSec and Cisco VPN Client. How can I set the privilege level for the authenticated users so that the remote VPN users are given privilege level 0 and the Administrators are given privilege level 15, so they can login to routers and manage them.

  Prem
  Thanks for attaching a very interesting document. worth the 5 rating.
  HTH
  Rick

• Privilege level - ASDM

  Hi,
  I have defined on the RADIUS server a profile with privilege level 0 with the
  "shell:priv-lvl=0" command on the server. The problem is that when
  the user logs into the firewall it is always given privilege level 1 (if SSH)
  or 15 (if ASDM).
  The AAA configuration on the firewall is the following:
  aaa-server RADIUS protocol radius
  aaa-server RADIUS (outside) host x.x.x.x
  retry-interval 1
  key *
  authentication-port 8812
  accounting-port 8813
  aaa authentication http console RADIUS LOCAL
  aaa authentication ssh console RADIUS LOCAL
  aaa authentication enable console RADIUS LOCAL
  Can you tell me what I need to do to authenticate using RADIUS, but assigning
  the correct privilege levels?
  I have been refered to bug ID CSCsh17346, but although i've updated the image to 7.2.2.22 it still does not work.
  Thanks in advance.
  (in attachment is the output of the radius debug).

  Hi Paulo,
  What I think is, you are looking for something like this,
  Limiting User CLI and ASDM Access with Management Authorization:
  http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_80/conf_gd/sysadmin/mgaccess.htm#wp1070306
  Go through what setting with what protocol, will give you what level of access. This might help.
  And what you originally looking for is, might be related to this,
  Configuring Command Authorization
  http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_80/conf_gd/sysadmin/mgaccess.htm#wp1042034
  Go through complete heading, but to be specific interesting part is "Configuring Local Command Authorization"
  Above links worth a read.
  This might help.
  Regards,
  Prem