dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
3859
share rss forum feed


kpeterson

@P-POOL.Marist.Edu

AAA Authorization problems on 2811 router

Hi,
I'm just beginning to teach myself security on a Cisco 2811, and I'm having some problems with local authorization. Basically, I've created three usernames with three privilege levels, and by using local authentication, I'm trying to set up AAA to allow these users access to commands based on their privilege level.

here's what I'm trying:
router(config)#aaa authorization commands 15 level3list local
router(config)#aaa authorization commands 10 level2list local
router(config)#aaa authorization commands 1 level1list local

and then from the vty 0 4 lines config:
router(config-line)#authentication commands 15 level3list
router(config-line)#authentication commands 10 level2list
router(config-line)#authentication commands 1 level1list

I'd think that this would authenticate users with privileges based on their privilege level in the local database (the usernames I've created have privilege levels of 15, 10, and 1), but I'm obviously doing something wrong. Whichever username I log in with has full privileges. Debugging AAA authorization, whichever name I use, the router says it has found level3list and grants me full level 15 privileges.

Please help, I've really tried everything I can think of.


aryoba
Premium,MVM
join:2002-08-22
kudos:4

Can you post the entire configuration? (show running-config)



kpeterson

@P-POOL.Marist.Edu
reply to kpeterson

Thanks for the reply, I'm sorry, but I won't have access to the router until 2 AM and won't be able to get the config until then. I can tell you that, in trying to isolate the problem, I reloaded the router and did only a basic configuration. Besides configuring an enable mode secret password and IP addresses on F0/0 and a serial line, all I've done is enable AAA (with aaa new-model,) created an aaa authentication list (aaa authentication login telnetlist local) and applied it to the VTY 0 4 (login authentication telnetlist.) After doing this, I used the authorization commands listed above. I'm accessing the device through reverse telnet, and the debug clearly shows that I'm hitting the AAA.

I know this isn't as helpful as it should be, but I really hope someone can spot a problem with what I'm doing.

Thanks.



kpeterson

@P-POOL.MARIST.EDU
reply to kpeterson

Here's my full configuration:

!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname NewYork
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$zoaQ$OymktDrJaB7dKSXvZJXM3.
!
aaa new-model
!
!
aaa authentication login telnetlist local
aaa authorization commands 1 level1list local
aaa authorization commands 10 level2list local
aaa authorization commands 15 level3list local
!
!
aaa session-id common
!
!
!
ip cef
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
voice-card 0
no dspfarm
!
!
!
!
!
!
!
username tier1 password 0 cisco
username tier2 privilege 10 password 0 cisco
username tier3 privilege 15 password 0 cisco
username kevin privilege 15 password 0 qwerty
username admin privilege 15 password 0 cisco
archive
log config
hidekeys
!
!
!
!
!
!
interface FastEthernet0/0
ip address 172.16.0.1 255.255.0.0
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/0/0
no ip address
shutdown
no fair-queue
clock rate 2000000
!
interface Serial0/0/1
no ip address
shutdown
!
router rip
network 172.16.0.0
!
!
!
ip http server
no ip http secure-server
!
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
authorization commands 1 level1list
authorization commands 10 level2list
authorization commands 15 level3list
login authentication telnetlist
!
scheduler allocate 20000 1000

!
webvpn cef
!
end
********************************************************
Here's some debugging output:
*Mar 4 02:15:31.441: AAA: parse name=tty514 idb type=-1 tty=-1
*Mar 4 02:15:31.441: AAA: name=tty514 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=514 channel=0
*Mar 4 02:15:31.441: AAA/MEMORY: create_user (0x47C99C44) user='tier1' ruser='NewYork' ds0=0 port='tty514' rem_addr='172.16.0.11' authen_type=ASCII service=NONE priv=15 initial_task_id='0', vrf= (id=0)
*Mar 4 02:15:31.441: tty514 AAA/AUTHOR/CMD(2200560757): Port='tty514' list='level3list' service=CMD
*Mar 4 02:15:31.441: AAA/AUTHOR/CMD: tty514(2200560757) user='tier1'
*Mar 4 02:15:31.441: tty514 AAA/AUTHOR/CMD(2200560757): send AV service=shell
*Mar 4 02:15:31.441: tty514 AAA/AUTHOR/CMD(2200560757): send AV cmd=terminal
*Mar 4 02:15:31.441: tty514 AAA/AUTHOR/CMD(2200560757): send AV cmd-arg=monitor
*Mar 4 02:15:31.441: tty514 AAA/AUTHOR/CMD(2200560757): send AV cmd-arg=
*Mar 4 02:15:31.441: tty514 AAA/AUTHOR/CMD(2200560757): found list "level3list"
*Mar 4 02:15:31.441: tty514 AAA/AUTHOR/CMD(2200560757): Method=LOCAL
*Mar 4 02:15:31.441: AAA/AUTHOR (2200560757): Post authorization status = PASS_ADD
*Mar 4 02:15:31.441: AAA/MEMORY: free_user (0x47C99C44) user='tier1' ruser='NewYork' port='tty514' rem_addr='172.16.0.11' authen_type=ASCII service=NONE priv=15 vrf= (id=0)
**************************************************
Thanks for the help!


aryoba
Premium,MVM
join:2002-08-22
kudos:4

said by kpeterson :

aaa new-model
!
!
aaa authentication login telnetlist local
aaa authorization commands 1 level1list local
aaa authorization commands 10 level2list local
aaa authorization commands 15 level3list local
!
!
aaa session-id common
username tier1 password 0 cisco
username tier2 privilege 10 password 0 cisco
username tier3 privilege 15 password 0 cisco
username kevin privilege 15 password 0 qwerty
username admin privilege 15 password 0 cisco
!
line con 0
line aux 0
line vty 0 4
authorization commands 1 level1list
authorization commands 10 level2list
authorization commands 15 level3list
login authentication telnetlist
!
On username command, note that the account is set to have privilege level of 15 by default. Try to distinguish the privilege level among accounts; pretty much like account kevin (privilege 15) and tier2 (privilege 10).


kpeterson

@P-POOL.MARIST.EDU
reply to kpeterson

Oops -- I guess I was really tired when I set that up last night. I did mean to give tier1 privilege level 1. I should note that it did exactly the same thing last night when I logged in with tier2 -- that is, assign me privilege level 15 -- and the same thing when I configured this router a few days ago, when I know I assigned a privilege level of 1 to tier1. Any other ideas as to what is happenning?

Thanks for the replies.