Friday, September 9, 2011
Configuring Local Command Authorization (AAA Part 2)
I want to create a user in IOS and only allow that user access to certain commands. I want the user to be able to enter global configuration mode, create extended ACLs, debug ip packet, terminal monitor, terminal no monitor, undebug all, and use extended ping functions.
I'll create my user, assign him level 9 privileges, and add the commands to privilege level 9. Users assigned to privilege level 9 automatically have all lesser privilege levels and their available commands.
R2(config)#username jason privilege 9 password cisco
R2(config)#privilege exec level 9 configure terminal
R2(config)#privilege configure level 9 access-list extended
R2(config)#privilege ipenacl level 9 permit
R2(config)#privilege exec level 9 debug ip packet
R2(config)#privilege exec level 9 terminal monitor
R2(config)#privilege exec level 9 terminal no monitor
R2(config)#privilege exec level 9 undebug all
R2(config)#privilege exec level 9 ping repeat
I'll enable aaa new-model later, but for now, I'll add login local to the vty lines.
R2(config)#line vty 0 4
R2(config-line)#login local
R2(config-line)#
I'll test by connecting from R1 to R2's vty line.
R1#telnet 10.1.12.2
Trying 10.1.12.2 ... Open
User Access Verification
Username: jason
Password: You are connecting to R2 on line 194, VTY LINE at stupidtroutertricks.com
R2#show privilege
Current privilege level is 9
R2#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#?
Configure commands:
access-list Add an access list entry
beep Configure BEEP (Blocks Extensible Exchange Protocol)
call Configure Call parameters
default Set a command to its defaults
end Exit from configure mode
exit Exit from configure mode
help Description of the interactive help system
ip Global IP configuration subcommands
netconf Configure NETCONF
no Negate a command or set its defaults
oer Optimized Exit Routing configuration submodes
sasl Configure SASL
wsma Configure Web Services Management Agents
R2(config)#ip access-list extended 101
R2(config-ext-nacl)#permit icmp 10.1.12.1 255.255.255.255 10.1.12.2 255.255.255.255
R2(config-ext-nacl)#end
R2#deb ip packet 101
IP packet debugging is on for access list 101
R2#ping 10.1.12.1 repeat 1
Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 10.1.12.1, timeout is 2 seconds:
!
Success rate is 100 percent (1/1), round-trip min/avg/max = 4/4/4 ms
R2#
.Sep 9 06:23:21.575: IP: s=10.1.12.2 (local), d=10.1.12.1 (FastEthernet0/1), len 100,....
This behaves as expected.
Although there's no need for aaa to use local command authorization, I'll enable aaa and configure it for accessing the level 9 user.
R2(config)#aaa new-model
As soon as this is executed, I no longer have login local applied to the VTY lines.
R2(config)#do sh run | sec line vty
line vty 0 4
location VTY LINE
password cisco
R2(config)#
I'll configure a method list to apply at the VTY lines.
R2(config)#aaa authentication login default local
R2(config)#
This won't be enough to reach privilege level 9 from telnet.
R1#telnet 10.1.12.2
Trying 10.1.12.2 ... Open
User Access Verification
Please enter your user name:jason
Please enter your password:
You are connecting to R2 on line 194, VTY LINE at stupidtroutertricks.com
R2>show privilege
Current privilege level is 1
R2>exit
[Connection to 10.1.12.2 closed by foreign host]
R1#
I have to create an authorization list and apply that to the vty lines.
R2(config)#aaa authorization exec default local
R2(config)#line vty 0 4
R2(config-line)#authorization exec default
R2(config-line)#end
R2#
Now I'll attempt to login again.
R1#telnet 10.1.12.2
Trying 10.1.12.2 ... Open
User Access Verification
Please enter your user name:jason
Please enter your password:
You are connecting to R2 on line 194, VTY LINE at stupidtroutertricks.com
R2#show privilege
Current privilege level is 9
R2#
<-- AAA Part 1 AAA Part 3 -->
Subscribe to:
Post Comments (Atom)
Thanks for sharing !
ReplyDeleteGreat Article
ReplyDeleteNetwork Security Final Year Project Ideas
Project Centers in Chennai
JavaScript Training in Chennai
JavaScript Training in Chennai
But it was a penny slot, so that comes to $120.There was a lot of fuss, but actually after I play reel slots if I don’t get quantity of} winners greater than that, I’m dissatisfied. Part of it's that reel slots were all there have been when we were younger. We both hit some pretty good jackpots on the reels and we’ve never gained something huge on video. Using the common from the RTP charges of all the Videoslots on line casino video games in its library, we now have calculated that the payout rate of Videoslots is 95.27%. Head to our guide to 우리카지노 the highest payout on line casino video games within the UK for more. Our evaluate of Videoslots ends on a great observe, as we really feel this operator ticks all of the bins of what constitutes a contemporary, enticing on-line on line casino.
ReplyDelete