Lab 12.2.3: AAA Authorization

Objectives:

  • Add AAA local Authorization to a NAS device.

Scenario:

The Denver office needs to authorize a backup user to issue a few privilege level commands. You will setup AAA Authorization on this router and test each user account.

Notes: 

Lab Tasks:

By default, there are three privilege levels on the router: 

privilege level 1 = non-privileged (prompt is router>), the default level for login 
privilege level 15 = privileged (prompt is router#), the level after going into enable mode 
privilege level 0 = seldom-used, but includes 5 commands:
disable, enable, exit, help, and logout 

Levels 2-14 are not used in a default configuration, but commands that are normally at level 15 can be moved down to one of those levels and commands that are normally at level 1 can be moved up to one of those levels. Obviously, this security model involves some administration on the router. To determine the privilege-level as a logged in user, type the
show privilege command.

To determine what commands are available at a particular privilege level for the Cisco IOS Software Release you are using, enter a ? at the command line when logged in at that privilege level.

Note: Authorization is bypassed for authenticated users who log in using the console line, even if authorization has been configured.

  1. Log into the Denver office router and enter global configuration mode.
  2. On the router, start configuring AAA Authorization. The commands to configure AAA Authorization are:

AAA_Router(config)# username superuser privilege 15 password 0 ciscorocks
AAA_Router(config)# username backup privilege 7 password 0 backup
AAA_Router(config)#exit


Login with the Username of superuser and the Password of ciscorocks

AAA_Router(config)# aaa authorization exec default group tacacs+ local

Below is a brief description of each of the above commands.

AAA This a AAA command
Authentication This only applies to authorization
Exec  This only applies to exec commands on the router
Default  This is the default method
Group  Prepare to use a group of “Servers”
TACACS+ This is the type of servers, not RADIUS
Local  If TACACS+ servers fail then use local database
  1. The next step is to specify which commands will be authorized. On the AAA_Router issue the following commands from the console:

AAA_Router(config)# aaa authorization commands 0 default group tacacs+ local
AAA_Router(config)# aaa authorization commands 1 default group tacacs+ local
AAA_Router(config)# aaa authorization commands 15 default group tacacs+ local
AAA_Router(config)# aaa authorization commands 7 default group tacacs+ local

  1. The final step is to specify which commands at level 7 will be authorized. On the AAA_Router issue the following commands from the console:

AAA_Router(config)# privilege configure level 7 snmp-server host
AAA_Router(config)# privilege configure level 7 snmp-server enable
AAA_Router(config)# privilege configure level 7 snmp-server
AAA_Router(config)# privilege exec level 7 ping
AAA_Router(config)# privilege exec level 7 configure terminal
AAA_Router(config)# privilege exec level 7 configure
AAA_Router # debug aaa authorization

  1. From a remote workstation telnet to the AAA_Router. You should see a prompt like the one below:

User Access Verification

Username:

Login with the Username of backup and the Password of backup. Issue the following commands and record what commands are available:

AAA_Router# configure terminal
AAA_Router(config)# ?
AAA_Router(config)#snmp-server ?





Issue the following command to show your current privilege level:

AAA_Router# show privilege

Exit out of the current EXEC session and then login again. Type in the Username of superuser and the Password of ciscorocks. Issue the following commands and record what commands are available:

AAA_Router# configure terminal
AAA_Router(config)# ?




Issue the following command to show your current privilege level and record your findings below:

AAA_Router# show privilege