Friday, September 9, 2011

Configuring Local Command Authorization (AAA Part 2)


I want to create a user in IOS and only allow that user access to certain commands. I want the user to be able to enter global configuration mode, create extended ACLs, debug ip packet, terminal monitor, terminal no monitor, undebug all, and use extended ping functions.

I'll create my user, assign him level 9 privileges, and add the commands to privilege level 9. Users assigned to privilege level 9 automatically have all lesser privilege levels and their available commands.

R2(config)#username jason privilege 9 password cisco
R2(config)#privilege exec level 9 configure terminal
R2(config)#privilege configure level 9 access-list extended
R2(config)#privilege ipenacl level 9 permit
R2(config)#privilege exec level 9 debug ip packet
R2(config)#privilege exec level 9 terminal monitor
R2(config)#privilege exec level 9 terminal no monitor
R2(config)#privilege exec level 9 undebug all
R2(config)#privilege exec level 9 ping repeat

I'll enable aaa new-model later, but for now, I'll add login local to the vty lines.

R2(config)#line vty 0 4
R2(config-line)#login local
R2(config-line)#

I'll test by connecting from R1 to R2's vty line.

R1#telnet 10.1.12.2
Trying 10.1.12.2 ... Open


User Access Verification


Username: jason
Password: You are connecting to R2 on line 194, VTY LINE at stupidtroutertricks.com
R2#show privilege
Current privilege level is 9
R2#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
R2(config)#?
Configure commands:
  access-list  Add an access list entry
  beep         Configure BEEP (Blocks Extensible Exchange Protocol)
  call         Configure Call parameters
  default      Set a command to its defaults
  end          Exit from configure mode
  exit         Exit from configure mode
  help         Description of the interactive help system
  ip           Global IP configuration subcommands
  netconf      Configure NETCONF
  no           Negate a command or set its defaults
  oer          Optimized Exit Routing configuration submodes
  sasl         Configure SASL
  wsma         Configure Web Services Management Agents


R2(config)#ip access-list extended 101
R2(config-ext-nacl)#permit icmp 10.1.12.1 255.255.255.255 10.1.12.2 255.255.255.255
R2(config-ext-nacl)#end
R2#deb ip packet 101
IP packet debugging is on for access list 101
R2#ping 10.1.12.1 repeat 1


Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 10.1.12.1, timeout is 2 seconds:
!
Success rate is 100 percent (1/1), round-trip min/avg/max = 4/4/4 ms
R2#
.Sep  9 06:23:21.575: IP: s=10.1.12.2 (local), d=10.1.12.1 (FastEthernet0/1), len 100,....

This behaves as expected.

Although there's no need for aaa to use local command authorization, I'll enable aaa and configure it for accessing the level 9 user.

R2(config)#aaa new-model

As soon as this is executed, I no longer have login local applied to the VTY lines.

R2(config)#do sh run | sec line vty
line vty 0 4
 location VTY LINE
 password cisco
R2(config)#

I'll configure a method list to apply at the VTY lines.

R2(config)#aaa authentication login default local 
R2(config)#

This won't be enough to reach privilege level 9 from telnet.

R1#telnet 10.1.12.2
Trying 10.1.12.2 ... Open


User Access Verification


Please enter your user name:jason
Please enter your password:
You are connecting to R2 on line 194, VTY LINE at stupidtroutertricks.com
R2>show privilege
Current privilege level is 1
R2>exit
[Connection to 10.1.12.2 closed by foreign host]
R1#

I have to create an authorization list and apply that to the vty lines.

R2(config)#aaa authorization exec default local
R2(config)#line vty 0 4
R2(config-line)#authorization exec default 
R2(config-line)#end
R2#

Now I'll attempt to login again.

R1#telnet 10.1.12.2
Trying 10.1.12.2 ... Open


User Access Verification


Please enter your user name:jason
Please enter your password:
You are connecting to R2 on line 194, VTY LINE at stupidtroutertricks.com
R2#show privilege
Current privilege level is 9
R2#

<-- AAA Part 1         AAA Part 3 -->

1 comment: