dslreports logo
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
8452
share rss forum feed


movieguy2012

@cuny.edu

[Config] user account on cisco router 2611

I am trying to configure user account on the cisco router 2611.

For a basic user, he/she can log on to the router, then can run sh int whatever, can ping, and can reload the router.

For an admin, he/she can log on to the router, run config t and do whatever config he/she wants.

i google it but i still don understand about the privilege stuff.
Please help.................
thx.
Louis


NOCMan
MadMacHatter
Premium
join:2004-09-30
Colorado Springs, CO
Not sure why you would want a regular user to be able to reboot the router, but not sure you can restrict it that way. I've never done a lot of that kind of restriction configs for user accounts.

ladino

join:2001-02-24
USA
kudos:1
There are 2 ways you can be granular with the CLI that a user is limited to use or not use

1) Role based CLI
»www.cisco.com/en/US/docs/ios/sec ··· cli.html

2) TACACS+
»www.cisco.com/en/US/products/sw/ ··· 38.shtml

nosx

join:2004-12-27
00000
kudos:5

2 edits
You could do something like this:
aaa new-model
aaa authentication login default local
aaa authorization exec default local 
 
username god privilege 15 secret asdf
username joe privilege 0  secret qwer
 
privilege exec level 0 reload
privilege exec level 0 traceroute
privilege exec level 0 ping ip
privilege exec level 0 ping
privilege exec level 0 terminal monitor
privilege exec level 0 terminal no monitor
privilege exec level 0 terminal no
privilege exec level 0 terminal
privilege exec level 15 show hardware pxf cpu cef
privilege exec level 0 show hardware
privilege exec level 0 show running-config
privilege exec level 0 show configuration
privilege exec level 0 clear counters
privilege exec level 0 clear line
privilege exec level 0 clear
privilege exec level 15 show interface monitor
privilege exec level 0 show interface
 

aryoba
Premium,MVM
join:2002-08-22
kudos:6
ladino See Profile and nosx See Profile already pointed you to the right direction. As a note that you can define what commands that a user can or cannot issue on either locally the device itself (in this case, the router) or centrally using some AAA server (for instance, TACACS server). nosx See Profile showed some sample configuration of the locally-defined commands.

As general conception, you don't need to specify what commands users with privilege level of 15 can or cannot issue since by default, privilege-level-15 users can issue any commands considering privilege level 15 is the highest privilege level there can be.

In some cases, you might need to define some commands that privilege-level-0 users can issue in case by default, such commands are not of privilege-level-0 commands. In other words, you need to lower down the level of such commands from let's say privilege level 15 to privilege level 0 so that privilege-level-0 users can issue the commands, typically for troubleshooting purposes.

nosx

join:2004-12-27
00000
kudos:5

1 edit
You are moslty right about the priv level, the priviledge exec level 15 stuff is actually a little backwards though.

If i grand a priviledge level 0 user show hardware, they can by default run 'show hardware pxf cpu cef'. This is because you are granting them a tree of commands rather than just that one command.

By explicitly defining 'show hardware pxf cpu cef' as level15 you can make sure that the level0 user cant run that command but can run all the other show hardware commands and sub-commands.

There are some show commands that are just too processor intensive to let tier1/2 folk run. They might run them just out of curiousity and take down a large switch/router. They should be done off hours by engineers (and usually tac) to analyze the results.


movieguy2012

@cuny.edu
Thank you deepblackmg, aryoba, ladino, NOCman. Thanks for your information. I appreciated it.

now, if i use aaa new-model, will my telnet login and console login I configured before be gone? With that said, if i create a user with priviledge 15, i will be using this user account to login with telnet and console, right?

I have this configured.

enable secret 5 xxxxxxxxxxxxxxxxxxxxx

line con 0
password 7 xxxxxxxxxxxxxxxx
login
line aux 0
lne vty 0 4
password 7 xxxxxxxxxxxxxxxx
login

nosx

join:2004-12-27
00000
kudos:5
The line login and enable passwords are antiquated somewhat, you can remove them and go with per user authentication under the lines:
aaa new-model
aaa authentication login default local
aaa authentication login AAA_AUTH_LOCAL local
aaa authorization exec default local 
aaa session-id common
 
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
 history size 256
 transport preferred none
 
line vty 0 15
 exec-timeout 0 0
 privilege level 15
 logging synchronous
 login authentication AAA_AUTH_LOCAL
 history size 256
 transport preferred none
 transport input telnet ssh
 

nosx

join:2004-12-27
00000
kudos:5

1 edit
As an added side thought, ill paste some sample tacacs auth config incase you want to setup tacplus (free/opensource) on a linux/bsd VM to play:
aaa new-model
 
! Important - create a user incase tacacs is unreachable!
username BACKUPUSER privilege 15 secret 5 BACKUPPASSWORD123@
 
! Define multiple tacacs servers.
tacacs-server host 3.11.0.53 key TACACSKEY
tacacs-server host 10.0.0.53 key TACACSKEY
 
! Create a AAA group for those tacacs servers.
aaa group server tacacs+ AAA_GROUP_TACACS
  server 10.0.0.53
  server 3.11.0.53
  ! force tacacs requests to source from a given interface / IP.
  ip tacacs source-interface Loopback0
 exit
 
aaa authentication login default line
! Define a AAA authentication group for our tacacs aaa group.
!   if tacacs is unavailable, fall back to local authentication.
aaa authentication login AAA_AUTH_TACACS group AAA_GROUP_TACACS local
! Define a AAA authorization group for our tacacs aaa group.
!   if tacacs is unavailable, fall back to local authorization.
aaa authorization exec default group AAA_GROUP_TACACS local if-authenticated 
! Define a AAA accounting group for our tacacs aaa group.
aaa accounting exec default start-stop group AAA_GROUP_TACACS
aaa accounting commands 1 default start-stop group AAA_GROUP_TACACS
aaa accounting commands 15 default start-stop group AAA_GROUP_TACACS
 
line con 0
  exec-timeout 0 0
  logging synchronous
  login authentication AAA_AUTH_TACACS
  history size 256
  transport preferred none
 exit
 
line aux 0
  no exec
  transport preferred none
  transport input telnet
 exit
 
line vty 0 127
  access-class ACL_PROTECT_VTY0-4 in
  exec-timeout 0 0
  logging synchronous
  login authentication AAA_AUTH_TACACS
  history size 256
  transport preferred none
  transport input ssh
 exit
 

If you cant afford the Cisco SecureACS tacacs+ server software, this is example configuration to the opensource tac_plus daemon:
# /usr/local/etc/tac_plus.conf
 
key = TACACSKEY
 
user=SOMEADMIN {
    name = "SOME ADMIN"
    login = cleartext SECRETPASS
    pap = cleartext SECRETPASS
    enable = cleartext SECRETPASS
    member = admin
}
 
group = admin {
    default service = permit
    service = exec {
        priv-lvl = 15
    }
    # group members who have no expiry date set will use this one
    expires = "Jan 1 2038"
}
 

aryoba
Premium,MVM
join:2002-08-22
kudos:6
reply to movieguy2012
said by movieguy2012 :

now, if i use aaa new-model, will my telnet login and console login I configured before be gone? With that said, if i create a user with priviledge 15, i will be using this user account to login with telnet and console, right?

I have this configured.

enable secret 5 xxxxxxxxxxxxxxxxxxxxx

line con 0
password 7 xxxxxxxxxxxxxxxx
login
line aux 0
lne vty 0 4
password 7 xxxxxxxxxxxxxxxx
login
The enable secret and password under line con and vty will not be gone. The password instead will be inactive once you activate the aaa new-model command. In other words, you don't need the password since AAA will take over all login business to the router. Depending on your router's AAA configuration, the enable secret will still be active.

Once a proper AAA configuration is in place, you can log into the router either via telnet or console as any privilege-level users, either as privilege-level-0 or -15 users, as defined in your AAA user database. Just use the proper username and password to login as and you should be in a good shape.