| [Config] user account on cisco router 2611 I am trying to configure user account on the cisco router 2611.
For a basic user, he/she can log on to the router, then can run sh int whatever, can ping, and can reload the router.
For an admin, he/she can log on to the router, run config t and do whatever config he/she wants.
i google it but i still don understand about the privilege stuff.
Please help.................
thx.
Louis |
|
 NOCManMacChatterPremium
join:2004-09-30
Colorado Springs, CO | Not sure why you would want a regular user to be able to reboot the router, but not sure you can restrict it that way. I've never done a lot of that kind of restriction configs for user accounts. |
|
| There are 2 ways you can be granular with the CLI that a user is limited to use or not use
1) Role based CLI
»www.cisco.com/en/US/docs/ios/sec···cli.html
2) TACACS+
»www.cisco.com/en/US/products/sw/···38.shtml |
|
nosx
join:2004-12-27
00000
kudos:5
2 edits | You could do something like this:
aaa new-model
aaa authentication login default local
aaa authorization exec default local
username god privilege 15 secret asdf
username joe privilege 0 secret qwer
privilege exec level 0 reload
privilege exec level 0 traceroute
privilege exec level 0 ping ip
privilege exec level 0 ping
privilege exec level 0 terminal monitor
privilege exec level 0 terminal no monitor
privilege exec level 0 terminal no
privilege exec level 0 terminal
privilege exec level 15 show hardware pxf cpu cef
privilege exec level 0 show hardware
privilege exec level 0 show running-config
privilege exec level 0 show configuration
privilege exec level 0 clear counters
privilege exec level 0 clear line
privilege exec level 0 clear
privilege exec level 15 show interface monitor
privilege exec level 0 show interface
|
|
aryobaPremium,MVM
join:2002-08-22
kudos:1 | ladino  and nosx already pointed you to the right direction. As a note that you can define what commands that a user can or cannot issue on either locally the device itself (in this case, the router) or centrally using some AAA server (for instance, TACACS server). nosx showed some sample configuration of the locally-defined commands.
As general conception, you don't need to specify what commands users with privilege level of 15 can or cannot issue since by default, privilege-level-15 users can issue any commands considering privilege level 15 is the highest privilege level there can be.
In some cases, you might need to define some commands that privilege-level-0 users can issue in case by default, such commands are not of privilege-level-0 commands. In other words, you need to lower down the level of such commands from let's say privilege level 15 to privilege level 0 so that privilege-level-0 users can issue the commands, typically for troubleshooting purposes. |
|
nosx
join:2004-12-27
00000
kudos:5
1 edit | You are moslty right about the priv level, the priviledge exec level 15 stuff is actually a little backwards though.
If i grand a priviledge level 0 user show hardware, they can by default run 'show hardware pxf cpu cef'. This is because you are granting them a tree of commands rather than just that one command.
By explicitly defining 'show hardware pxf cpu cef' as level15 you can make sure that the level0 user cant run that command but can run all the other show hardware commands and sub-commands.
There are some show commands that are just too processor intensive to let tier1/2 folk run. They might run them just out of curiousity and take down a large switch/router. They should be done off hours by engineers (and usually tac) to analyze the results. |
|
| Thank you deepblackmg, aryoba, ladino, NOCman. Thanks for your information. I appreciated it.
now, if i use aaa new-model, will my telnet login and console login I configured before be gone? With that said, if i create a user with priviledge 15, i will be using this user account to login with telnet and console, right?
I have this configured.
enable secret 5 xxxxxxxxxxxxxxxxxxxxx
line con 0
password 7 xxxxxxxxxxxxxxxx
login
line aux 0
lne vty 0 4
password 7 xxxxxxxxxxxxxxxx
login |
|
nosx
join:2004-12-27
00000
kudos:5 | The line login and enable passwords are antiquated somewhat, you can remove them and go with per user authentication under the lines:
aaa new-model
aaa authentication login default local
aaa authentication login AAA_AUTH_LOCAL local
aaa authorization exec default local
aaa session-id common
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
history size 256
transport preferred none
line vty 0 15
exec-timeout 0 0
privilege level 15
logging synchronous
login authentication AAA_AUTH_LOCAL
history size 256
transport preferred none
transport input telnet ssh
|
|
|
|
nosx
join:2004-12-27
00000
kudos:5
1 edit | As an added side thought, ill paste some sample tacacs auth config incase you want to setup tacplus (free/opensource) on a linux/bsd VM to play:
aaa new-model
! Important - create a user incase tacacs is unreachable!
username BACKUPUSER privilege 15 secret 5 BACKUPPASSWORD123@
! Define multiple tacacs servers.
tacacs-server host 3.11.0.53 key TACACSKEY
tacacs-server host 10.0.0.53 key TACACSKEY
! Create a AAA group for those tacacs servers.
aaa group server tacacs+ AAA_GROUP_TACACS
server 10.0.0.53
server 3.11.0.53
! force tacacs requests to source from a given interface / IP.
ip tacacs source-interface Loopback0
exit
aaa authentication login default line
! Define a AAA authentication group for our tacacs aaa group.
! if tacacs is unavailable, fall back to local authentication.
aaa authentication login AAA_AUTH_TACACS group AAA_GROUP_TACACS local
! Define a AAA authorization group for our tacacs aaa group.
! if tacacs is unavailable, fall back to local authorization.
aaa authorization exec default group AAA_GROUP_TACACS local if-authenticated
! Define a AAA accounting group for our tacacs aaa group.
aaa accounting exec default start-stop group AAA_GROUP_TACACS
aaa accounting commands 1 default start-stop group AAA_GROUP_TACACS
aaa accounting commands 15 default start-stop group AAA_GROUP_TACACS
line con 0
exec-timeout 0 0
logging synchronous
login authentication AAA_AUTH_TACACS
history size 256
transport preferred none
exit
line aux 0
no exec
transport preferred none
transport input telnet
exit
line vty 0 127
access-class ACL_PROTECT_VTY0-4 in
exec-timeout 0 0
logging synchronous
login authentication AAA_AUTH_TACACS
history size 256
transport preferred none
transport input ssh
exit
If you cant afford the Cisco SecureACS tacacs+ server software, this is example configuration to the opensource tac_plus daemon:
# /usr/local/etc/tac_plus.conf
key = TACACSKEY
user=SOMEADMIN {
name = "SOME ADMIN"
login = cleartext SECRETPASS
pap = cleartext SECRETPASS
enable = cleartext SECRETPASS
member = admin
}
group = admin {
default service = permit
service = exec {
priv-lvl = 15
}
# group members who have no expiry date set will use this one
expires = "Jan 1 2038"
}
|
|
aryobaPremium,MVM
join:2002-08-22
kudos:1 | reply to movieguy2012
said by movieguy2012 :
now, if i use aaa new-model, will my telnet login and console login I configured before be gone? With that said, if i create a user with priviledge 15, i will be using this user account to login with telnet and console, right?
I have this configured.
enable secret 5 xxxxxxxxxxxxxxxxxxxxx
line con 0
password 7 xxxxxxxxxxxxxxxx
login
line aux 0
lne vty 0 4
password 7 xxxxxxxxxxxxxxxx
login
The enable secret and password under line con and vty will not be gone. The password instead will be inactive once you activate the aaa new-model command. In other words, you don't need the password since AAA will take over all login business to the router. Depending on your router's AAA configuration, the enable secret will still be active.
Once a proper AAA configuration is in place, you can log into the router either via telnet or console as any privilege-level users, either as privilege-level-0 or -15 users, as defined in your AAA user database. Just use the proper username and password to login as and you should be in a good shape. |
|
