09-28-2018 01:29 PM - edited 02-21-2020 11:01 AM
I'm trying to understand whats the difference between two commands above? I have created two local users on my router, one with privilege level of 15 and the other with Pri level of 7. then I deployed aaa authorisation commands 15 and aaa authorisation commands 1. I tested my config using both users, and although they had different level set, I could get to all commands with both users account until I added 'aaa authorisation exec' command and that fixed the issue. now it seems to me that users with different privilege mode doesn't work until we configure 'aaa authorisation exec', but my question is whats the point of configuring aaa authorisation commands then ?
I had a very basic aaa config on my router:
aaa new-model
aaa authentication login default group tacacs+ group radius local
aaa authentication enable default none
aaa authorization config-commands
aaa authorization exec default local
aaa authorization commands 15 default group tacacs+ local
aaa session-id common
username lele privilege 15 password 7 023F05480A0B062F6C1F504151
username admin privilege 3 password 7 033D5A18070228426E58405D43
Solved! Go to Solution.
10-02-2018 12:09 AM
Most people accomplish this on their ACS or ISE AAA server. For that, you can see some good videos on labminutes. For example:
09-28-2018 02:22 PM
commands - Runs authorization for all commands at the specified privilege level.
exec - Runs authorization to determine if the user is allowed to run an EXEC shell. This facility might return user profile information such as autocommand information.
Privilege level 0 — includes the disable, enable, exit, help, and logout commands.
Privilege level 1 — Normal level on Telnet; includes all user-level commands at the router> prompt.
Privilege level 15 — includes all enable-level commands at the router# prompt.
09-30-2018 12:00 PM
09-30-2018 06:54 PM
To authorize administrative sessions at differentiated levels, you have to use the exec service.
When EXEC authorization has been enabled, the device will send a TACACS+ authorization request to the AAA server immediately after authentication to check whether the user is allowed to start an administrative session.
Without it, the device cannot distinguish between the authorization levels allowed for the various users' privilege levels. If you only have a single privilege level then "aaa authorization" alone suffices.
10-01-2018 04:12 PM
many thanks.
Is there any lab that you could refer me to so I could understand this better? I also have configured RBAC and assign the view to a user:
username test1 view test secret TEST123
parser view test
secret TEST123
commands exec include show version
commands configure include all intreface
when I ssh to my router using test1 username, unless I type enable view test, then I have access to all commands!
what I'm trying to achieve is to have different users, and control what access they can have each.
many thanks
10-02-2018 12:09 AM
Most people accomplish this on their ACS or ISE AAA server. For that, you can see some good videos on labminutes. For example:
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide