The Denver office needs to authorize a backup user to issue a few privilege level commands. You will setup AAA Authorization on this router and test each user account.
Notes:
Lab Tasks:
By default, there are three privilege levels on the router:
privilege level 1 = non-privileged (prompt is router>), the default level for login
privilege level 15 = privileged (prompt is router#), the level after going into enable mode
privilege level 0 = seldom-used, but includes 5 commands:
disable, enable, exit, help,
and logout
Levels 2-14 are not used in a default configuration, but commands that are normally at level 15 can be moved down to one of those levels and commands that are normally at level 1 can be moved up to one of those levels. Obviously, this security model involves some administration on the router. To determine the privilege-level as a logged in user, type the
show privilege
command.
To determine what commands are available at a particular privilege level for the Cisco IOS Software Release you are using, enter a ? at the command line when logged in at that privilege level.
Note: Authorization is bypassed for authenticated users who log in using the console line, even if authorization has been configured.
Log into the Denver office router and enter global configuration mode.
On the router, start configuring AAA Authorization. The commands to configure AAA Authorization are:
Login with the Username of superuser and the Password of ciscorocks
AAA_Router(config)# aaa authorization exec default group tacacs+ local
Below is a brief description of each of the above commands.
AAA
This a AAA command
Authentication
This only applies to authorization
Exec
This only applies to exec commands on the
router
Default
This is the default method
Group
Prepare to use a group of “Servers”
TACACS+
This is the type of servers, not RADIUS
Local
If TACACS+ servers fail then use local database
The next step is to specify which commands will be authorized. On the AAA_Router issue the following commands from the console:
AAA_Router(config)# aaa authorization commands 0 default group tacacs+ local
AAA_Router(config)# aaa authorization commands 1 default group tacacs+ local
AAA_Router(config)# aaa authorization commands 15 default group tacacs+ local
AAA_Router(config)# aaa authorization commands 7 default group tacacs+ local
The final step is to specify which commands at level 7 will be authorized. On the AAA_Router issue the following commands from the console:
Issue the following command to show your current privilege level:
AAA_Router# show privilege
Exit out of the current EXEC session and then login again. Type in the Username of
superuser and the Password of ciscorocks. Issue the following commands and record what commands are available: