The AAA authorization

Im trying to configure the authentication of AAA using username privililege password 15 xxxx xxxxx. I would like to make sure he users with the privilege level 15 go straight to activate the mode, and users with level 1 prvilege will go directly to the router > read-only. Currently the conly orders I typed are user name

xxx xxxx privilege 15 password

AAA new-model

Do I need to configure anything else. I tried to put the privilege under int vty level but then all users mode privilege. I want to only use AAA I don't want to set up a server radius or teacs to have3. Thanks in advance.

To use privilege levels, you need to set the authorization and authentication. The following should do the trick for you:

username cisco password 0 privilege 15 glenn

username fred privilege 1 0 password cisco

!

AAA new-model

AAA authentication login default local

AAA authorization exec default local

Now if I connect:

> telnet 10.66.79.100

User access audit

Username: glenn

Password:

Router #sho priv

Current privilege level is 15

Router #q

>

>

> telnet 10.66.79.100

User access audit

User name: fred

Password:

Router > sho priv

Current privilege level is 1

Router > q

Tags: Cisco Security

Similar Questions

  • Free RADIUS for the AAA authorization

    Hello

    Is there a Free\OpenSource RADIUS implementation that would work with permission of AAA Cisco and Accoutning features?

    I don't know if FreeRadius would be authorized to do?

    Thank you------Naman

    Try freeRADIUS (www.freeradius.org).

    It can manage all of the Cert-oriented Basic for EAP authentication.

    Good luck

    Scott

  • Design of the AAA authorization

    I'm setting up several switches and routers for GANYMEDE with ACS. I have a need to access three levels, groups are the following:

    1. normally read only access.

    2. the full access except config t.

    3. full access.

    What would be the best way to achieve this, I see that if I create on GBA Shell command authorization sets, I can set up a group 1 and group 3. But I will be able to group 2? Is there a way to enable all, but explicitly block a single command? As a result of this page: http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml leads me to believe that the capacity may exist, but I have no way to confirm for the moment.

    Please see the attachment.

    After implementing user will be able to do anything except config t.

    Kind regards

    ~ JG

    Note useful message

  • I am unable to connect with GANYMEDE + connection after the addition of aaa authorization network command

    Hello

    I test an aaa authentication switch when it does not communicate to ISE, and I found a strange behaviour. After that I added the aaa accounting and authorization authentication controls and reloaded the switch I was not able to connect to the switch with the GANYMEDE login

    The switch continued in cycles showing the banner give 3 times authentication failure message and then the cycle begins with the failed, banner and sign message

    I removed the aaa authorization network command and I reloaded the switch and I was able to connect successfully.

    could someone help me with this problem.

    Hi Nitesh-

    This command (... aaa authorization network) has nothing to do with the admin authorization on the n basis (in this case, the switch). This command applies to the network connections such as PPP, SLIP, etc.

    In addition, aaa authorization can be performed by Ray and not only GANYMEDE +. RADIUS is not too powerful and you can provide authorization command sets but you can always return roles and different levels of privilege.

    Have you tested the above configuration syntax? I did and it works as expected!

    Thank you for evaluating useful messages!

  • Accounting and authorization of the AAA

    Hello everyone.
    I give myself a proposed implementation of AAA on routers and switches in our environment. Can someone please help me understand the difference between.
    command option 1) aaa authorization exec and the authorization of the aaa.
    aaa accounting exec command option 2) and the aaa accounting.
    Thank you very much.

    Sent by Cisco Support technique Android app

    Hello

    command option 1) aaa authorization exec and the authorization of the aaa.
    One allows if the user has the privilege level right to enter unrestricted IOS (0,1,15) levels, you can customize it.

    The other allows different commands, a user can type and send to the device

    aaa accounting exec command option 2) and the aaa accounting.

    One represents once again when a user changes from a specific user-level (level preferred 15 or user-level Exec 1)

    Secondly it sends a message of each shipment of order based costing to box

    Check out my blog at http:laguiadelnetworking.com for more information.

    See you soon,.

    Julio Segura Carvajal

  • AAA authorization command console

    Hello

    I don't really understand the need of the command ""console permission aaa "."

    In fact we often set up these lines, which I already ar Editions by default VTY, Console, etc... :

    AAA authorization exec default group Ganymede + authenticated if

    AAA authorization commands 15 default group Ganymede + authenticated if

    Am I wrong? Or these lines only apply to the VTY linse?

    Thank you in advance

    In the IOS default Cisco does not permit on the console. When you configure aaa authorization, it is applied to vty but not to the console. Basically, it's to make it harder for lock you to in the router or switch. If you want permission to apply on the console then you must explicitly configure (and be very very careful that it is configured correctly, or you can wind up being locked out of the router - think especially how it will work when you can't get to the external aaa server that normally makes the authorization).

    HTH

    Rick

  • the AAA authentication enable default group Ganymede + activate

    I implement CSACS 4.0. First of all on the client, I will apply aaa authenticatio / authorization under vty. The issure if I use the followin command

    the AAA authentication enable default group Ganymede + activate

    What happens if I connect via the console? I need to enter a name of user and password?

    Here is my configuration

    AAA new-model

    Group authvty of connection authentication AAA GANYMEDE + local

    the AAA authentication enable default group Ganymede + activate

    authvty orders 15 AAA authorization GANYMEDE + local

    RADIUS-server host IP

    Radius-server key

    Ganymede IP source interface VLAN 3

    AAA accounting send stop-record an authentication failure

    AAA accounting delay start

    AAA accounting exec authvty start-stop group Ganymede +.

    orders accounting AAA 15 authvty power group Ganymede +.

    AAA accounting connection authvty start-stop group Ganymede +.

    line vty 0 15

    connection of authentication authvty

    authorization orders 15 authvty

    authvty connection accounting

    accounting orders 15 authvty

    accunting exec authvty

    Any suggestion will be appreciated!

    It should work because it is a guest message.banner whenever you try to connect (console/vty). I set it up on my router.

    If you have banner motd, it will appear as well (see below). So, I have to remove it to get only the aaa banner & prompt is displayed:

    ************************************************************

    Username: cisco, password: cisco (priv 15f - local) *.

    ************************************************************

    Any unauthorized use is prohibited.

    Enter your name here: User1

    Now enter your password:

    Router #.

    The configuration more or less looks like this:

    AAA new-model

    AAA authentication banner ^ is forbidden to use CUnauthorized. ^ C

    AAA authentication password prompt "enter your password now:

    AAA-guest authentication username "enter your name here:

    Group AAA authentication login default RADIUS

    local authentication AAA CONSOLE connection

    HTH

    AK

  • Need help with the configuration of the AAA

    I try to configure AAA on my network devices. I use GANYMEDE + with an ACS (3.2) server. I have groups of users of installation against two in the ACS, 1 voice server and allow privileges and the other without. I am able to get the AAA configuration to work when telnet in devices. However, when you connect in the port of the console, the user with privileges to activate Group do not go directly in the activation of the mode as do the users of telnetted. How to solve this problem?

    Hello

    You should not use the following command: -.

    authorization AAA console

    This command will not be displayed on the help.

    Kind regards

    Vivek

  • interpretation of AAA authorization

    Hello..

    Is this a correct interpretation on aaa authorization?

    If I want to allow some commands or a certain privilege I use the following example

    AAA authorization command 7 Group Ganymede

    No authorization from aaa config-commands

    If you want to allow all commands, you must use the following:

    AAA authorization config-commands

    allow all orders except the configuration commands that we type in the configuration mode:

    Router (config) #.

    Configure a Terminal command is a command to exec level and should still be allowed in the command define the AAA server.

    Even if you are runnning access to level 15 and you turn on command authorizarion using a RADIUS AAA server on this level 15, all the commands you type will be checked at the server level to see if they were authorized or not.

    Tariq

  • The AAA authentication configuration

    We have ACS server 3.1 to AAA for authentication for all routers and switches. I want each person to connect the router using its own id, password password and activate. If the ACS server is unavailable, I want to have different id, password and enable password for console and telnet access. What is the right way to do this? I also want to follow all orders entered on the router.

    That's what I have:

    AAA new-model

    AAA authentication login default group Ganymede + local

    enable AAA authentication login no_tacacs

    the AAA authentication enable default group Ganymede + line

    AAA authorization exec default group Ganymede + local

    AAA authorization commands 15 default group Ganymede + local

    AAA accounting exec default start-stop Ganymede group.

    orders accounting AAA 15 by default start-stop Ganymede group.

    !

    username admin password 7 xxxxxxxxxxxxxxxx

    !

    !

    Line con 0

    connection of authentication no_tacacs

    line to 0

    line vty 0 4

    password 7 xxxxxxxxxxxxxxxxxxxxxxxx

    !

    Yes, it's Joy on the right. Thank you, Renault

  • Excluding the lines of Terminal Server in the AAA authentication

    Hi all

    Hope you can help, I'm trying to find a solution to exclude only the following line port by using the AAA authentication (ACS GANYMEDE +) on a map of Terminal Server on a Cisco 2600 router.  Does anyone know how to do this, or point me in the right direction to solve?

    I've included the output below:

    AAA authentication login default group Ganymede + local
    AAA authorization exec default group Ganymede + local
    AAA accounting exec default start-stop Ganymede group.
    AAA accounting network default start-stop Ganymede group.
    AAA accounting default connection group power Ganymede
    AAA accounting system default start-stop Ganymede group.
    AAA - the id of the joint session

    line 41
    session-timeout 20
    decoder location - XXXXXX XXXXXX BT
    No banner motd
    No exec-banner
    absolute-timeout 240
    Modem InOut
    No exec
    transport of entry all
    StopBits 1
    Speed 38400

    Is it a question of disabling the command line or using a defined group?

    Thanks a lot for your help.

    Jim.

    Hi Jim

    You may need to create another group for authentication to the and send your AAA configuration

    line to 0

    connection of authentication aux_auth

    AAA authentication login aux_auth line

    You can also configure a username local/pw and map it on the group to here...

    Console and telnet would still use the configured default group, or you can specify specific groups:

    Line con 0

    console login authentication

    line 4 vty0

    vty authentication login

    and specify the aaa authentication settings individually...

    I hope this helps... all the best

    REDA

  • The AAA reports

    Hi, need to provide an ACS reports that will include all orders captured on barrier-lights/switches/routers.

    Installation successfully acs for these network devices, basic AAA is work, can connect has failed/past authentications, different levels of authentication has been correctly configured, but I see only the orders that were denied in reports, (have tested different user levels). How can I configure the AAA sign orders enterend e.g. network device admins?

    Hi Ganesh, thanks for reply.

    Unfortunately i am still unable to see executed commands in tacacs+ accounting report. I have all report fields enabled, configuration is the same as you suggested but still no luck.  I setup shell command authorization set and can see if readonly users (which has rights to run only commands in readonly authorization set) trying to execute commands they are not authorize to run but cannot see all commands executed on the switch.

    This is really important to have a record who and when initiated what commands on network devices.

    07/16/2010,09:18:30,AAAServer,GRoup,SWITCHES,CAT3560-T,UserName,192.168.182.1,start,15,,,,,,2,(Default),,,shell,,,,,,,,,,,,,,UTC,,,,,,,,,,,,,,,,,,,,,,,,No,Login,1,6,192.168.182.20,tty1

    Any other suggestions?

    Hello

    If your version of ACS is 4.1 GANYMEDE + accounting command no longer works. No accounting is visible in the journal of Administration GANYMEDE + (bug CSCsg97429).

    Click on this link if you use ACS Solution Engine: http://www.cisco.com/pcgi-bin/tablebuild.pl/acs-soleng-3des?psrtdcat20e2 and download:

    applAcs_4.1.1.23_ACS - 4.1 - CSTacacs -CSCsg97429.zip

    Hope to help!

    Ganesh.H

    Don't forget to note the useful message

  • AAA authorization commands

    Hi all

    Probably, I'll ask a stupid question but I am really confused about the purpose of the "x by default local aaa authorization commands" command. I understand that if this command is configured, it allows each order of this level, but in my experience, this command does nothing. The result is the same whether or not it is configured.

    Here is my config part aaa

    cisco cisco username privilege 15 secret

    AAA new-model

    AAA authentication login default local activate

    AAA authorization exec default local authenticated by FIS

    AAA authorization commands 15 local default authenticated by FIS

    Now if I keep the last command or remove, user name "cisco" is able to use each command level 15 so my question is, why would I bother to configure this command?

    Would really appreciate your quick response

    Concerning

    Hi Charlotte,.

    According to my understanding of the database of the local user you don't need to have permission from aaa in the network device... If you use any Ganymede + / Radius authentication servers, then it will be more efficient, you can set an attributes to the user profile and through which you can play the config access level users at certain level...

    When it is with a local database, to approval based on the level of privileage we set locally on the device and he never looks for aaa... reference local authorization is limited and more that it is limited to sets of levels of privileage on the specific profile...

    You can go through the below document mentioned for your apprenticeship on aaa...

    http://www.Cisco.com/c/en/us/TD/docs/iOS/12_2/Security/command/reference...

    Concerning

    Knockaert

  • AAA authorization fails, but still command is executed...

    Hello world

    I've implemented the authorization and he basically works. The user can only use a limited set of commands (show int status, conf t interface ethernet, gigabitethernet interface, interface fastethernet, closed, non-stop).

    Now, I'm trying to configure a loopback or interface Vlan, which should not be allowed.

    COMMANDS IN ŒUVRE:

    AAA authorization config-commands
    AAA authorization commands vty 0 group Ganymede + none
    AAA authorization commands 1 vty group Ganymede + none
    AAA authorization commands 15 vty group Ganymede + none

    line vty 0 15
    authorization to control vty 0
    vty orders 1 authorization
    authorization orders 15 vty

    COMMAND AND THE OUTPUT FROM THE TESTS:

    SWITCH (config) #int vlan 2
    Authorization of command failed.

    DEBUG AAA APPROVAL:

    SWITCH #.

    7 Dec 14:31:50: AAA: analyze name = tty1 BID type =-1 ATS = - 1

    7 Dec 14:31:50: AAA: name = tty1 flags = 0 x 11 type = 5 shelf = 0 = 0 = 0 = 1 0 = channel port adapter slot

    7 Dec 14:31:50: AAA/MEMORY: user create_user (0x46603F4) = "USER1" ruser = 'SWITCH' ds0 = 0 port =

    "tty1' rem_addr'10.10.255.249 = 'authen_type = ASCII service = NONE priv = 15 initial_task_id = ' 0', vrf = (id = 0)

    7 Dec 14:31:50: tty1 AAA/AUTHOR/CMD (60725991): Port = list "tty1" = "SCA" service = CMD

    7 Dec 14:31:50: AAA/AUTHOR/CMD: tty1 user (60725991) = "USER1".

    7 Dec 14:31:50: tty1 AAA/AUTHOR/CMD (60725991): send service AV = shell

    7 Dec 14:31:50: tty1 AAA/AUTHOR/CMD (60725991): send cmd = interface AV

    7 Dec 14:31:50: tty1 AAA/AUTHOR/CMD (60725991): send cmd - arg = AV Vlan

    7 Dec 14:31:50: tty1 AAA/AUTHOR/CMD (60725991): send cmd - arg = 2 AV

    7 Dec 14:31:50: tty1 AAA/AUTHOR/CMD (60725991): send cmd - arg = AV

    7 Dec 14:31:50: tty1 AAA/AUTHOR/CMD (60725991): found the list "SCA".

    7 Dec 14:31:50: tty1 AAA/AUTHOR/CMD (60725991): method = Ganymede + (Ganymede +)

    7 Dec 14:31:50: AAA/AUTHOR/TAC +: (60725991): user = User1

    7 Dec 14:31:50: AAA/AUTHOR/TAC +: (60725991): send service AV = shell

    7 Dec 14:31:50: AAA/AUTHOR/TAC +: (60725991): send cmd = interface AV

    7 Dec 14:31:50: AAA/AUTHOR/TAC +: (60725991): send cmd - arg = AV Vlan

    7 Dec 14:31:50: AAA/AUTHOR/TAC +: (60725991): send cmd - arg = 2 AV

    7 Dec 14:31:50: AAA/AUTHOR/TAC +: (60725991): send cmd - arg = AV

    7 Dec 14:31:50: AAA/AUTHOR (60725991): permission post = FAIL

    7 Dec 14:31:50: AAA/MEMORY: free_user (0x46603F4) user = "USER1" ruser = "SWITCH" port = "tty1" r

    em_addr = '10.10.255.249' authen_type = ASCII service = NONE priv = 15


    As you can see the answer of the Ganymede is a "FAILURE", but still the command is executed.

    RESULT:

    SWITCH #sh run int vlan 2
    Building configuration...

    Current configuration: 38 bytes
    !
    interface Vlan2
    no ip address
    end

    QUESTION:

    I don't understand what the problem... Since I get a Ganymede Server FAILURE I guess that the configuration of this side is fine.

    But why the button ignore a FAILURE, always run the command? Same problem exists with the loopback Interface.

    Is it just me not the basic concept of AAA understandig or is it another problem?

    The switch is a Cisco WS-C3750-24TS (running c3750-ipbasek9 - mz.122 - 50.SE2.bin).

    The Ganymede running Cisco Secure ACS4.2.0.124

    Thank you

    Tom

    Hi Tom,

    It's CSCtd49491 : GANYMEDE authorization failed-command for the configuration of the interface.

    The bug is currently in a closed state, which means that the "bug report is valid, but a conscious decision accomplished not remedy all or all outputs."

    As far as I know, the impact is rather limited, given that the interface that is created has no effect unless the vlan exists, and even in this case, the effect is minimal since it cannot be configured.

    You can open a TAC case or work with your account team to get the bug if it is still a matter of concern but has reopened.

    HTH

    Herbert

  • AAA authorization problem

    I have the following Setup on my way...

    AAA new-model

    AAA authentication login default group Ganymede + local

    authentication connecting line CONSOLE of AAA.

    AAA authorization config-commands

    AAA authorization exec default group Ganymede + local

    AAA authorization commands 1 default group Ganymede + authenticated if

    AAA authorization commands by default 10 group Ganymede + authenticated if

    AAA authorization commands 15 default group Ganymede + authenticated if

    The problem is that when I log into the switch through the console port and enter these commands in, I instantly "Command authorization failed" on all orders get there. It's mind-boggling because there is no possible way that the switch is in talks with my Cisco ACS. I have not yet put in the radius-server key. I have to restart the box every time. What Miss me?

    Thank you for your time. I use IOS Version 12.2 (25) SEB4.

    -Andrew

    Hello

    Before proceeding with the configuration of Ganymede create a local user.

    Add the following commands.

    username cisco password cisco

    AAA new-model

    AAA authentication login default group Ganymede + local

    AAA authorization commands 1 default group Ganymede + authenticated if

    AAA authorization commands 15 default group Ganymede + authenticated if

    AAA authorization config-commands

    RADIUS-server host x.x.x.x

    GANYMEDE-server key...

    Please mark me if it helps you

Maybe you are looking for