Sign in to follow this  
Followers 0
pappyaar

AAA Easy to understand Tutorial.

29 posts in this topic

Hi all.

 

Even before i started my studies for CCNP, there were two topics that fascinated me alot. AAA & QoS. My exposure to IOS wasnt even of newbie level and i tried to study AAA, which resulted in frustration and failure. At that time there wasnt much

guidance, i didnt knew about the existence of forums and all so simply no one to point me in the right direction. After

getting a bits hands on IOS, i tried again and failed miserably. I wasnt getting a single word of what was happening in AAA

!!!. It was becoming a mystery as i proceeded with my studies. But the interest never lacked. What issue did i faced actually

?

 

1) Lack of confidence with IOS

2) No proper working examples found anywhere.

3) "Reading between the lines" aptitude of cisco docs

4) Ok !! i have configured it atlast, But what has happened ? (Verification of task configured)

5) When should i use AAA ? when i shouldnt ?

6) What is this authorization everyone talks about ?

7) Do i really need to understand this ?

 

And alot more confusions followed ;-)

 

In this long (perhaps very long) tutorial, i will try to cover the findings which are very rare to find in any books or docs.

I havent read all the books that contains AAA word in them or in their context, but i referred a few to solve some of the

confusions but all came up with 99% similar explanation and configs not helping much. To be honest i havent read a single

chapter in any book for AAA. It was all me and cisco docs in this small (yet interesting) journey of mine.

 

Note: This is the second topic after EEM, that i have tried to understand completely using cisco docs.

 

What i dont cover in this tutorial (Yet/Never) ?

Yet means i will add this in future if life/time permits.

<Never actually know when shall we loose the last of what we have>

 

Never means this topic will probably never be discussed in future.

 

1) ACS 3.3/4.x (YET)

2) Using AAA for services like PPP (Never).

3) Accounting (YET, it will be covered in detail with acs)

 

Who should read this tutorial.

 

Anyone who has taken ccna classes or done self study and have been using

 

Line vty 0 4

password xx

login

 

Enable password

enable secret.

 

If you just have used the above, you MUST read this tutorial :-).

 

How to read this ?

 

Well ofcourse with your eyes, but actually how to use this tutorial. If you have opened PT, simply close it and get dynamips/GNS3 running. All of our example contains IOS 12.4 and only 2 routers. So it will be easy for you to understand. You

can use one router and a PC, coz if i am not wrong PCs can be used in GNS3. I used router coz i was using dynamips.

 

Try out each and everything on your own, each and everything !!!. Dont take any single comment or line for granted.

You have no reason to trust me, nor anyone. Take it as a guide, compiling each and everything and presenting it here. It may

contain errors ( which i tried my level best to avoid ).

 

This tutorial will take you from ground up and a bit to intermediate level (cant call expert level coz experts might complain

;-) ).

 

Ok So in this tutorial we will be talking a lot about AA i.e. authentication and authorization. leaving accounting alone for

a while :-).

 

lets get started.

 

Note: This tutorial consists of the basics you MUST know before you move on to AAA. I havent discussed AAA yet in this part. It will be from part 3 and onwards. Do read this, if you want to make sure you know all the necassary stuff regarding access-control.

 

What is Authentication ?

 

Authentication is the process of identifying yourself to the questiong party. In our case this party is router. Router

performs authentication for 2 purposes.

1) When you are logging on to router for monitoring/configuration purposes, and this is the main point that will be discussed

here.

2) When router is providing some services for users like ppp and others. This will not be discussed from this point onwards.

 

You can get a lot of useless theory on AAA, its benefits, and other crap easily in any book or anywhere. We will dive into

technical details to see what is there for us, and what can we do with it.

 

Note: very important note. Keep in mind the context and scope of this tutorial. I am discussing authentication/authorization

when a user is logging in the router.

NOT WHEN ROUTER IS DOING IT FOR SOME OF ITS SERVICES LIKE PPP,EASY-VPN etc.

 

Q) Is it necassary to perform authentication ?

A) No. you can easily skip the authentication process. Remember that for local login i.e. through console port,

authentication usually never happens. But when you login in remotely through telnet/ssh, you LAND on any of the available vty

lines. These are software components to handle your remote sessions. In practial you must be telnetting to some interface IP

right ? but in actual when IOS receives any telnet/ssh request, it has to define a LINE VTY x to handle this request. Since a

seperate line is dedicated to every user, all authentication/authorization process and config parameters are dealt/configured

in line config mode only. Interfaces like ethernet/serial usually dont have any such parameters for auth/author.

 

Q) Ok !! hmmmm..... Can we skip authentication in Remote sessions also like console login ?

A) Yes and EASILY !!. First observe something. When you configure your router from default configuration then this is what

you see.

 

line con 0

line aux 0

line vty 0 4

login

!

!

end

 

Noticed some difference in line con0 and line vty ?

Line vty 0 4 comes with -login- command. This login command tells the router to prompt for the password in order to

authenticate the user. Remove this command under line vty 0 4 using no login and next time you telnet to this router, you

will not be asked for password !!!.

From now onwards, i will be using a simple topology. R1 and R2 connected via fas0/0.(you can use Pc in place of R2) We will

always be configuring R1 and using R2 to telnet only to verify our points. Ip of R1 is 10.0.0.1 and R2 is 10.0.0.2

 

Default telnet example !

R2# telnet 10.0.0.1

Trying 10.0.0.1 ... Open

 

 

Password required, but none set

 

[Connection to 10.0.0.1 closed by foreign host]

R2#

 

What just happened ?. Login command was configured by default. But no password was set, so R1 knew that there is no point of authenticating when i dont have the password configured. So we usually set password under line vty remember !. But since we want to skip authentication, simply remove the command by issuing -no login- under line vty 0 4.

 

After

 

R2#telnet 10.0.0.1

Trying 10.0.0.1 ... Open

 

R1>

 

What we observed above is said to be line authentication. Because all we did was under line vty 0 4.

 

Q) Thats good. but what just happened ? i mean i am confused as to what is this R1> prompt ? I dont know what to ask i am

just confused !!!

 

A) Well, you better be. Lets talk about privilege levels in IOS. Have you heard about them ?

 

YES. Good

NO :-(, Well you just did ;-)

 

Ok what actually privilege levels have to do with this question ?.

When you telnet/ssh router, where do you expect to land ?

on line vty ofcourse but cisco didnt came up with a separate place to accomodate users, it decided that by default if a user

comes in via telnet/ssh or local console, i will put him in privilege level 1.

So lets understand the myth behind privilege levels.

IOS uses 16 privilege levels numbering from 0 - 15.

 

level 0 -> No-use mode, use it if you want someone to pull his hairs or want him to hit his head on wall ;-). There arent any

 

commands on this level to actually even see something !!!!. See below

 

R1#disable 0

R1>?

Exec commands:

disable Turn off privileged commands

enable Turn on privileged commands

exit Exit from the EXEC

help Description of the interactive help system

logout Exit from the EXEC

 

R1>show running

^

% Invalid input detected at '^' marker.

 

R1>conf t

^

% Invalid input detected at '^' marker.

 

R1> WHAT THE HELL I AM SUPPOSED TO DO HERE ? WHO PUT ME HERE, TELL ME HIS NAME AND I WILL ........

 

This never happened to me coz there isnt much doing in privilege level 0. All you can do is frustrate :-)

 

Level 1 -> user exec mode. You can do some basic monitoring stuff, like some basic show commands, ping, telnet, trace etc.

BUT YOU CANT VIEW YOUR RUNNING-CONFIG/STARTUP-CONFIG AND CANT CONFIGURE ANYTHING HERE. -CONIGURE- IS NOT HERE !!!.

 

Level 15 -> priv exec mode (call it king mode ;-) ). In this mode you can do anything. You can view anything and configure

anything.

Basically privilege levels define, what rights does a user has in that mode. By rights i essentially mean commands that a

user can configure. As we saw, through privilege levels we can control which commands a user can execute, Thats it !!!

 

Q) Where did we saw this ? you are cheating !!!!!!!

 

A) No i am not. In privi level 1 do -?- and check what commands you have. Then go to level 15 by doing -enable- and again do

 

-?- and see the LARGE list of commands that werent present in privi level 1.

 

Q) Ok ok got it. So whats the use of other privi levels ? when do i have to use them ? WHY should i use them ?

 

A) Answering first -> "Why should i use them". No one said you should. Just dont if you dont feel the need. I mean if

something is out there, that doesnt make it an obligation to actually use it !!. I am using AAA and never ever felt a need to

use any privi levels other then default ones. But that surely depends on my requirements. If your requirements are such that

you may want to use privi levels then go for it. Dont worry i will take you down the path myself ;-)

 

Now by default we just have 3 levels. Other levels are not actually there. Some say they are not present, some say they are

not activated. This actually doesnt matter. Now carefully look below. I will try clearing the meaning of -enable- and

 

-disable- command

 

R1#sh privilege

Current privilege level is 15

R1#

 

Now when you enter -enable password cisco-, the exact syntax is

 

enable password <level (0-15)> LINE

 

R1(config)#enable password ?

0 Specifies an UNENCRYPTED password will follow

7 Specifies a HIDDEN password will follow

LINE The UNENCRYPTED (cleartext) 'enable' password

level Set exec level password

 

As you can see, when you dont enter level, then level 15 is ASSUMED by default.

 

FACTS to remember.

 

1) When accessing via console port

 

1) The first level you will LAND will always be level 1 by default

 

2) No authentication is required for level 1 and level 15 by default i.e. if you type -enable- you can successfully move

to priv level 15

 

R1>enable

R1#

 

3) You will use disbale command to move to lower level

R1#disable

R1>

 

When you enter either of these commands, you have to mention the level you want to reach. If you dont define any level then

the default for

enable is 15

disable is 1

 

so when you enter simply -enable- it means -enable 15-

If you are in lower priv mode lets say Priv 1 and you want to go to higher level lets say 2.

 

R1>enable 2

% No password set

R1>

 

But if you are in higher priv level like 15 and want to downgrade to level 2, you dont need any password.

 

R1#disable 2

R1#sh privilege

Current privilege level is 2

R1#

 

So you must set enable password for a particular level if you want to reach it from a lower level. you can do this in priv

mode 15 like this

 

R1#config ter

R1(config)#enable password level 2 cisco

% Converting to a secret. Please use "enable secret" in the future.

 

R1(config)#end

R1#disable 1

R1>enable 2

Password:

R1#

 

2) When remotely accessing.

 

1) The level that you get will always be priv 1 by default

2) Authentication is required by default for both level 1 and level 15.

 

Skipping authentication for level 1 is already discussed above. Skipping authentication of level 15 will be discussed later.

 

Q) When !!!!!!!

A) Dont worry in this tutorial i will cover in more detail.

 

Ok now so far you might have not seen anything that interesting. Very basic even for a ccnp. But dont underestimate it, there

are things that might give you headaches if you start thinking over them ;-).

 

2nd session starting....

 

Q) When we access the router whether via console or line vty 0 4, you said we fall to priv level 1. Why is that so ? can we

do something to login to some other level ? like lets say can we directly go to level 15 ?

 

A) Ok, lets see the default config again

 

line con 0

line aux 0

line vty 0 4

login

!

!

end

 

Now turn on infra-red glasses and see whats the actual config is

 

line con 0

privilege level 1

line aux 0

privilege level 1

line vty 0 4

privilege level 1

login

 

Interesting isnt it ?. According to defaults set on IOS, it says that, whenever a user logs in via ANY line, place him in

priv level 1. This command is there by default and is not shown in running-config. If you change it to any other level, then

it will appear in running-config.

This command simply tells that, which level a user will get if he comes via console or via telnet/ssh. If you set it to level

15 then you will directly jump to level 15.

 

Now look at Facts to remember->2->2

 

"Authentication is required by default for both level 1 and level 15". Now also remember your question that can we skip

authentication to level 15 ?

 

Getting any ideas on how to do this ;-)

 

1) Change priv level to 15 by issuing -privilege level 15- command under line vty 0 4

2) Turn off line authentication using -no login-

 

R1 relevant config

 

line vty 0 4

privilege level 15

no login

 

R2>telnet 10.0.0.1

Trying 10.0.0.1 ... Open

 

R1#sh privilege

Current privilege level is 15

R1#

 

Ofcourse you can add authentication to this process. I have done this to answer the previous question.

1)Make sure you have given enable password ( or in actual <enable password level 15>)

2) -login- is configured under line vty 0 4 to perform line authentication.

 

R1 relevant config

 

enable password cisco

!

!

line vty 0 4

privilege level 15

login

 

R2>telnet 10.0.0.1

Trying 10.0.0.1 ... Open

 

 

User Access Verification

 

Password:

R1#sh privi

Current privilege level is 15

R1#

 

I hope till here its clear.

 

Q) What if i configure password under line vty 0 4 ? which will take preference now ?

the level specific password given through enable password command ?

or line specific password ?

 

A) IOS will obey what is configured under line configuration becoz there is where you are landing remotely. So consider this

 

R1 relevant config

 

enable secret cisco ( you can use enable password as well, it doesnt matter.)

!

!

line vty 0 4

privilege level 15

password cisco12345

login

 

R2>telnet 10.0.0.1

Trying 10.0.0.1 ... Open

 

 

User Access Verification

 

Password:(entered enable password "cisco")

 

Password:(entered line password "cisco12345")

R1#sh privilege

Current privilege level is 15

R1#

 

Q) So far its ok. But why actually we need other priv levels ? they are there for some purpose so what is that purpose or are

they really obsolete ? Any ideas when i should be using them ?

A) Why will you put a user in some other priv level ? the question remains..... becoz we havent explored the levels yet. this

is one step towards some tricky stuff the IOS does ;-)

 

Now on R1, first login to enable mode (priv 15). Now downgrade to levels 2 to level 14 and doing -?- on each level.

Remember if you are in level 2 and try moving to level 3 or any higher level (except level 15) you will be asked for

 

password. So for now simply go to enable mode everytime and downgrade to levels. like this

 

R1#disable 2

R1#sh privi

Current privilege level is 2

R1#enable

R1#sh privi

Current privilege level is 15

R1#disable 3

R1#sh privi

Current privilege level is 3

R1#

 

You will see that there is almost same set of commands on every privi level !!!!.

 

Q) So whats the use of all these priv levels ? i thought that as me move higher the more commands we will get, but it seems

that all the priv levels are same so it confuses more !!!

A) Its right that there arent much useful commands in these privi levels. Lets discuss a scenario in which you might be

 

needing priv levels. In this way it will make more sense.

 

1) you have 4 routers in your network that you manage

2) You are not using any external AAA server, like ACS or anyother.

3) A new guy has just joined, and you have appointed him in the support deptt. His job is to make sure that all the links

between these routers (by the way all these 4 routers are in different cities connected via any WAN links like fiber, DXX

etc) are working fine. Primary links as well as backup links.

4) You must not allow him priv level 15 since you dont yet trust his skills and are afraid that intentionally/unintentionally

he may committ something wrong.

5) You met with your boss and discussed the issue.

6) Your boss said that

" Ok fine, give him lower access of commands"

You said

"Ahhh.. Sir but we dont have any server to handle this"

Your boss

"So find the solution, why do you think i am paying you $xx per month ?"

You said (probably in your heart)

"Yes to give him limited access without any AAA server. YEs very nice, how the hell i am supposed to do that !!!!"

You said

"Ok sir, what access should i give him ?"

BOss said

"Do i have to tell you this ? are you managing the routers or me ? why i am paying you ........"

7) Dont panic, lets get working

lets say we agree that for monitoring purpose, the guy must be able to shut and no shut the interfaces. (which is risky from

a new guy but just do it :-) ). Allow him to view and change ip routes (again risky, ya ya i know)

 

Q) But how am i supposed to do this ? there arent any config commands in lower levels, you said that yourself, so it means

you were lieing !!!!

A) Nope i wasnt. But i never said i cant bring a command to a lower level ;-) did i say that ?

 

Q) Nope not exactly, ok so how do we do this ?

A) lets play ;-)

 

IOS provides us with a mechanism through which we can MOVE commands between levels. Confusing ? not anymore

If you recall i said -config- command is present in level 15 only. i can bring this command to any lower level, EVEN LEVEL 0 !!!!!.

 

The command to do this is -privilege- in global configuration mode.

 

R1(config)#privilege ?

exec

configure

interface

--More--

 

Note: When you will do -?- above the list is exhaustive, i have just shown these 3 familiar terms for simplicity.

 

Now without explanation, just look at what i am doing

 

R1(config)#privilege exec level 0 configure

R1(config)#end

R1#disable 0

R1>?

Exec commands:

configure Enter configuration mode

disable Turn off privileged commands

enable Turn on privileged commands

exit Exit from the EXEC

help Description of the interactive help system

logout Exit from the EXEC

 

R1>configure ?

<cr>

 

R1>configure

Configuring from terminal, memory, or network [terminal]?

Enter configuration commands, one per line. End with CNTL/Z.

R1(config)>?

Configure commands:

call Configure Call parameters

default Set a command to its defaults

end Exit from configure mode

exit Exit from configure mode

help Description of the interactive help system

no Negate a command or set its defaults

 

R1(config)>

 

Now can you see that configure command is now in level 0 !!!. But you can also see there still isnt much you can do with this

command since its empty.

 

Now first understand a simple behaviour of IOS. If a command is present in a lower level, that command WILL BE PRESENT IN ALL HIGHER LEVELS AS WELL. but vice versa is not true.

 

In level 0 we had enable, disable etc commands right ? check out in priv 15 you will have all of these commands as well. But

there are many priv 15 commands that are simply not there in level 0.

 

Now remember the above rule. A command in lower level will be present in all higher levels that you can access.

 

Proof of concept

 

R1(config)>end

R1>en

R1#

R1#sh privi

Current privilege level is 15

R1#disable 1

R1>?

Exec commands:

access-enable Create a temporary Access-List entry

access-profile Apply user-profile to interface

clear Reset functions

configure Enter configuration mode

connect Open a terminal connection

 

See !!! configure command is now also present in level 1. It will be present in all levels above till level 15 ;-) Try logging in other levels and see for yourself.

 

Clear ?

 

Q) Ahhh...hmmmm. Why are you saying it Moving commands to lower levels ? its simply copying. You have copied the command to

 

lower levels, why confusing with the word MOVING ? is your english that bad ?

A) My english is very bad but still not that bad. I said it for two reasons

 

1) its written in cisco docs

2) ITS TRUE !!!

 

see using -privilege- command you simply change the default level of any command. Then the command will only exist on that level and levels above BUT NOT ON ANY LOWER LEVELS !!!.

 

Proof of concept !

 

As we know that configure command has its default level set to 15. It means by default you can access this command only and

only from priv 15.

Since our levels start from 0, so all five commands present in level 0 have their default levels set to 0. This make sense

isnt it ? commands at level 0 by default are

 

disable Turn off privileged commands

enable Turn on privileged commands

exit Exit from the EXEC

help Description of the interactive help system

logout Exit from the EXEC

 

now lets say i want to change the default level of enable command from level 0 to lets say level 1. This mean this command

will be present from level 1 and onwards but not below !!!

 

R1(config)#privilege exec level 1 enable

R1(config)#end

R1#disab

*Jun 4 10:33:50.599: %SYS-5-CONFIG_I: Configured from console by console

R1#disable 0

R1>?

Exec commands:

configure Enter configuration mode

disable Turn off privileged commands

exit Exit from the EXEC

help Description of the interactive help system

logout Exit from the EXEC

 

R1>

 

As you can see, enable command is MOVED to higher level now. I hope you understand what is meant by MOVING the commands.

 

Summary. If a command is MOVED from higher to lower level then its merely copying.

if a command is MOVED from lower to higher level, then indeed you have moved this command ;-)

 

Q) How will i know the default level of any command ? is it documented on site or somewhere ?

A) I dont think its documented. But once you play around a lot with levels then logging to different levels you will able to

 

figure out the default level of this command.

 

Q) I didnt get it... HOW ??

A) Ok. Go to privi 15. then disable to level 1. do -?- and you will see a long list of commands right ? minus this set of

commands from that of level 0 (which is just five commands) then all these commands have their default level set to 1.

 

See. Can you do show in level 0 by default ?

 

Q) No !!!!!

A) Which next level do you get this command ?

 

Q) In privi level 1 i can see this command !!!!!

A) That means show has the default level of 1. Privi 15 and all other higher levels inherit it from level 1 ;-)

 

Q) Cool !!

A) Now let me take some rest.....

 

Q) NO REST for you. JUST EXPLAIN MORE !!!!

A) Fine... Lets understand the syntax of -privilege- commands.

 

A quick review on how you play with commands in IOS

 

R1#

(you are in exec mode)

 

R1#show running-config

(you issue this command on exec mode)

 

R1#ping 10.0.0.2

(you issue this command on exec mode)

 

R1#config term

(you issue this command on exec mode)

 

R1(config)# ip route x.x.x.x x.x.x.x x.x.x.x

(you issue this command on config mode)

 

R1(config)# interface ethernet 0/0

(you issue this command on config mode)

 

R1(config-if)# ip address 20.0.0.1 255.0.0.0

(you issue this command on interface mode)

 

Now lets recall our scenario

 

Lets say i want this new guy (his name is Mr.A) to shut and no shut interface right ?

 

1) for shut and no shut, they are interface level commands.

2) for these command to execute you must also allow interface command

3) for interface command you must allow config command

4) you must also allow ip route command also.

 

Now which priv level to use ? well we can use any level except 15. Once you are in 15 you cant filter commands without any

AAA server.

 

Lets choose level 4 ( its totally random. You can select any level number of your choice from 0-14)

 

how many exec commands i want to allow

1) allow Mr.A to show running-config so he can verify ip route

2) allow him sh ip int brief

3) allow him configure command

 

How many configure level commands i want to allow

1) ip route

2) interface

 

How many interface level commands i want to allow

1) shut

2) no shut

 

now simply look how i configure it. Remember you need to practice this as well to make more sense of it.

 

R1(config)#privilege exec ?

all All suboption will be set to the samelevel <- (i will explain it after this example)

level Set privilege level of command <- (this will be the level where you want TO MOVE the command. This will become the

default level of the command specified after this keyword)

reset Reset privilege level of command <-(i will explain it after this example)

 

R1(config)#privilege exec level 4 ?

LINE Initial keywords of the command to modify

 

R1(config)#privilege exec level 4 show running-config

R1(config)#privilege exec level 4 show ip int brief

R1(config)#privilege exec level 4 show ip route

R1(config)#privilege exec level 4 configure

 

Now lets put configure mode commands.

 

R1(config)#privilege configure level 4 ip route

R1(config)#privilege configure level 4 interface

 

Now lets put interface mode commands

 

R1(config)#privilege interface level 4 shut

R1(config)#privilege interface level 4 no shut

 

Now look below for verification:

 

R1#disable 4

R1#sh privi

Current privilege level is 4

 

R1#sh ip int brief

Interface IP-Address OK? Method Status Pro

ocol

FastEthernet0/0 unassigned YES unset administratively down dow

 

FastEthernet0/1 unassigned YES unset administratively down dow

 

R1#sh ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route

 

Gateway of last resort is not set

 

R1#sh running-config

Building configuration...

 

Current configuration : 133 bytes

!

boot-start-marker

boot-end-marker

!

!

!

!

!

!

interface FastEthernet0/0

shutdown

!

interface FastEthernet0/1

shutdown

!

!

!

end

 

R1#config

R1(config)#interface fas 0/0

R1(config-if)#?

Interface configuration commands:

default Set a command to its defaults

exit Exit from interface configuration mode

help Description of the interactive help system

no Negate a command or set its defaults

shutdown Shutdown the selected interface

 

Now check it on your cli. Just take the very above result. Everyone knows there are lots of command under interface mode but

here you are seeing only the ones you allowed. Ok there are some defaults like help, exit, default. But it doesnt actually

matter much.

 

Q) Is the running-config really that short ? or you have cut it to save space ?

A) Remember that in any privi level below 15, you will never see the whole configuration. You will only see the parameters

you can configure. Over here you are seeing interfaces because you can configure them right ? you will also see ip routes if

there are any. But in total, you will see only those items in running-config that the user in THAT mode is ALLOWED to

configure !!. You are seeing interfaces because we have allowed user in priv 4 to configure interfaces.

 

For your practice. Achieve the following tasks

1) Give user in priv 4 rights to configure ip address in interfaces.

2) give some default and static routes via this interface from level 4

3) Verify through running-config.

 

 

Now lets discuss the other keywords

 

R1(config)#privilege exec ?

all All suboption will be set to the samelevel

reset Reset privilege level of command

 

"all" is the wild card that you can use to allow any command that BEGINS with this keyword plus all other parameters of this

 

parent command.

 

Q) What do you mean by parent command ?

A) See, IOS follows an hirearchy similar to a tree structure with a command being at the root level, then the second

 

paramter(s) will be at second level and so on.

 

Lets take the example of "show running-config" command. Visualize it like this

 

--Show

|---->running-config

|---->startup-config

|---->IP

|---> route

|---> protocols

|---> INTERFACE

|---> brief

 

Getting any idea ?

 

Lets take example of "show ip int brief".

If you want to allow -brief-, you MUST allow ITS parent command which is -interface-

To allow -interface- you MUST allow ITS parent command which is -IP-

To allow -IP- you must allow ITS parent command which is -show-

 

Having said this. Lets look at the running config of the previous configuration we have done for priv 4.

 

privilege interface level 4 shutdown

privilege interface level 4 no shutdown

privilege interface level 4 no

privilege configure level 4 ip route

privilege configure level 4 interface

privilege configure all level 4 ip

privilege exec level 4 configure

privilege exec level 4 show ip route

privilege exec level 4 show ip interface brief

privilege exec level 4 show ip interface

privilege exec level 4 show ip

privilege exec level 4 show running-config

privilege exec level 4 show

 

Got it !!!. Recall how many commands did you entered above ? IOS will automatically allow the respective parent command of

each command YOU want to allow.

A clear example is of -ip route-. You just allowed -ip route-, but IOS automatically placed -ip- as well. Because if you dont have access to -ip- command how will you have access to -ip route- command ?

 

Ok now ?

 

Q) Yes... so what you were telling about the "all" keyword ?

A) Ok. in previous example we just allowed -ip route- but IOS automatically put -IP- as well right ?. However there are many other commands that start with -IP- but since you didnt allow them all. IOS only allowed -ip route-. Lets say you want to allow every command in configure mode that starts with -IP-.

 

Currently only IP route is allowed

 

R1(config)#ip ?

Global IP configuration subcommands:

route Establish static routes

 

Now

R1# (we are in level 15 now)

R1(config)#privilege configure all level 4 ip

R1(config)#end

R1#

R1#disable 4

R1#conf

Configuring from terminal, memory, or network [terminal]?

Enter configuration commands, one per line. End with CNTL/Z.

R1(config)#ip ?

Global IP configuration subcommands:

access-list Named access-list

accounting-list Select hosts for which IP accounting information is

kept

accounting-threshold Sets the maximum number of accounting entries

accounting-transits Sets the maximum number of transit entries

address-pool Specify default IP address pooling mechanism

admission Network Admission Control (NAC)

alias Alias an IP address to a TCP port

arp IP ARP global configuration

as-path BGP autonomous system path filter

auth-proxy Authentication Proxy

bgp-community format for BGP community

bootp Config BOOTP services

casa configure this router to participate in casa

cef Cisco Express Forwarding

classless Follow classless routing forwarding rules

community-list Add a community list entry

ddns Configure dynamic DNS

default-gateway Specify default gateway (if not routing IP)

default-network Flags networks as candidates for default routes

device Device tracking

--More--

 

Is it clear now ?

 

Now about the reset keyword. If you want to negate any configuration command, most of the time you simply add -no- in front of it. -privilege- command doesnt work this way. Try it and see for yourself. We will use reset to negate the previous command

 

R1#(we in level 15 now)

R1(config)#privilege configure reset ?

LINE Initial keywords of the command to modify

 

R1(config)#privilege configure reset ip

R1(config)#end

R1#dis

*Mar 1 00:53:44.715: %SYS-5-CONFIG_I: Configured from console by console

R1#disable 4

R1#conf

Configuring from terminal, memory, or network [terminal]?

Enter configuration commands, one per line. End with CNTL/Z.

R1(config)#ip ?

% Unrecognized command

 

OOPs. We disallowed -IP-, the parent command, so automatically any command part of it is also denied. so you need to

reconfigure -ip route- as we did before. Do it yourself for the sake of practice.

 

Q) Ahh. Ok, i got it. But How is Mr.A will gonna get this level when he logs on ?.

A) Like i told you above. Change the privilege level under line vty 0 4 to "4"

 

Q) But this will put even me in level 4 ?

A) Have you given a secure enable 15 password ?

 

Q) Yes i have...

A) So login in to privi 4. From there type -enable-, IOS will ask for enable 15 password now, enter it and you are in 15 now.

 

Q) hmmm. its ok but i didnt had this in mind.

A) What you had in mind ?

 

Q) Something more technical and decent. This is just a workaround.

A) Ok fine. Buy a AAA server then....

 

Q) I cant !!!!

A) Ok fine. Lets look at the other aspect of how Auth/author works. But that will take place in second session.

 

Q) This was the second session !!!

A) Fine fine, i mean 3rd session.

Edited by rainbow9810
2

Share this post


Link to post
Share on other sites

I just finished reading, and i must admit your writing style is really cool, it kept me entertaint all the time, keep the good work :) ,I have one question how are related privileged levels and views in the real world?

0

Share this post


Link to post
Share on other sites
I just finished reading, and i must admit your writing style is really cool, it kept me entertaint all the time, keep the good work :) ,I have one question how are related privileged levels and views in the real world?

 

 

Dear Thead, thanks for nice comments :-). I will try my level best that future tutorials are more entertaining and worth reading.

 

Now regarding your question, i am assuming that you have atleast configured both of them once.

 

Both of them are used to provide restricted access to users. Having said this, the restriction process is somewhat cumbersome in case of privilege levels. Every privilege level consists a default set of commands. Now lets say you want to give a user very restricted access so that he can do only the following commands

 

1) show ip int brief

2) show interfaces

3) show version

4) sh ip route

 

Now before views were there, i could simply do this in 2 ways

1) assign user to level 0 and with privilege commands assign above 4 commands to user. This is perhaps the best way.

2) Assign user to some other level, use a long list of privilege commands to remove all other commands then add the above 4 commands.

 

Now remember, without AAA server, this had to be done and was done in past. Views have some advantage over privilege becoz each view starts empty !!. There are usually 2 or 3 default commands like enable , exit, show. Now you can fill this view by adding commands to this view through view config mode.

This gives rather more control to administrator in assigning rights (which commands to execute) to users.

 

Which shall you use if it comes to restrict users access ?

Views are bit advance in the sense that they give you easy configuration as to which command you want to add and which to exclude. But to be honest i didnt find the difference to be very appealing. I mean i can almost achieve the same level without using views as well.

 

Keep in mind all the above discussion was for cli based views and not lawful intercept views.

 

0

Share this post


Link to post
Share on other sites

Due to some issues, this part took longer then it was supposed to. I would highly recommend just reviewing the previous part for a refresher. If it benefits anyone, just even a bit, then dont forget me in your prayers. Do provide me with your feedback and feel free to ask anything but make sure that this tutorial does clear your concepts, because if it doesnt then all my effort will be in vain.

 

Enjoy.....

 

Ok. 2nd session is starting now....

 

 

Q) ITS 3rd session !!!!!

A) Yes fine 3rd session. So how was your practice, did you get everything last time we discussed. I am sure you must have

done a LOT of practice isnt it..

 

Q) Yes, understood everything, but didnt had time to practice.

A) Why not ?

 

Q) Parties to attend, watching tv, etc after all we all have our social lifes !!

A) Yeah, ..... right.

 

So lets get started. Any question

 

Q) Yes. Last time we limited Mr.A access but it wasnt very technical or something that seems ok. I have seen ppl login with

some different style !! i just dont know what to ask but hope you understand ...

A) Yes i understand. Today we will move 1 step closer to actuall AAA. First lets summarize what we did last time

 

1) How to skip authentication for both level 1 and level 15

2) What are priv levels

3) How to move between those levels

4) How to MOVE commands between these levels

5) What is the difference between MOVING a command from lower to higher and vice versa

6) Moving commands with -privilege- command

 

to name just a little what we discussed perviously.

So we did achieve our objective of limiting Mr.A's access but not in the most appropriate way.

So today lets start AAA without using AAA.

 

Q) What ? AAA without AAA. This is confusing !

A) Yes. Focus on what i am explaining below and it will clear everything.

 

There are scenarios when there are multiple users with varying level of access. Your manager and probably you too would be

having full complete access to your router. i.e. level 15. But this may not be true for junior or newcoming stuff or

internees. (do you give access to internees at all ?)

 

If everyone is treated the same, then perhaps there is no need for access-control mechanisms. But if ppl require different

level of access then the method discussed previously and those discussed today and in future should be taken into

consideration.

 

Q) 1 more confusion. What do you mean by level of access ?

A) level of access essentially means 2 things

 

1) What the user can see ? (this includes various show commands, debug can also be there but i doubt you will ever grant this

command to anybody in lower levels)

2) What the user can do ? (any command that performs some action. Like configuration command.. ip route, access-list,

changing ip addresses etc or perform some monitoring actions like ping, trace etc)

 

Q) Ok its clear.

A) Ok our further discussion require a scenario to be followed.

 

Suppose, 1 week after Mr.A joined, Mr.B and Mr.C joined as well.

So you again went to your Boss.

 

You "Sir, we have two more joinings"

 

Boss "You think i dont know that ?"

 

You "No actually i mean to say, what about their access to routers ?"

 

Boss "You are again asking me this ? why you think i am paying you......"

 

Rest is i am sure you know well ;-)

 

Mr.A will be having the same requirements. Mr.B have these requirements

 

1) In addition to Mr. A's access, he should also be allowed to configure network advertisement in ospf, access-list

configuration.

We will give him level 6 (its totally random, give him any level above 4 which is Mr.A's and below 15)

 

Mr. C requirements are as follows

1) In addition to Mr.B and Mr.A's access, he should also be allowed to apply access-list on interfaces, plus he should also

be able to configure route-maps for policy based routing.

 

We will give him level 8 (its totally random, give him any level above 6 which is Mr.B's and below 15)

 

Shall we proceed ?

 

Q) Route-maps for PBR only ? you didnt mention if he can apply them globally/on interfaces or not ?

A) Nope, he shouldnt be allowed to apply them. PBR can surely cause a lot of havoc if not given proper thought. It should be

you who will be applying it globally or on interfaces.

 

Q) But you allowed Mr.B to apply access-list, isnt that risky and worth giving thought ? what you ate in breakfast.

A) Please, this is just an example !!!!

 

Q) Oh ok. Pls continue.

A) Yeah right

 

Now, if we just followed the previous method, what shall be the first step ?

1) To deal with login process.

 

Ok. AS you can know, under line vty we can only put one default priv level for anyone landing on these lines.

 

Which level that might be ?

 

Q) hmmm, level 8. i am intelligent right ?

A) More then i imagined.

 

if i give level 8, Mr.C will login but others will have access to that level isnt it ?

 

Q) So we will put -login- command under line vty 0 4, and for only allowing Mr.C we will give password there and tell this

password only to Mr.C. SO SIMPLE !!

A) Not bad. What about Mr.A and Mr.B access, when they will access the router, they will be prompted for the password for

level 8 as you said, they dont know this password so they will not be authenticated, in other words they are blocked for

eternity !!!

 

Q) Ohh, i didnt think of that so which level it should be ? i am confused

A) Give the lowest level. You can start with default 1 if you like, or level 4 like previously set. When

Mr.A telnets the router, he is prompted for password of level 4. he enters it and accesses level 4

Mr.B comes, he is also prompted for password of level 4, he enters it, accesses level 4. Now to go to his own level he must

do this

 

C:\> telnet 10.0.0.1

Trying 10.0.0.1 ... Open

 

 

User Access Verification

 

Password: (cisco)

R1#sh privilege

Current privilege level is 4

R1#enable 6

% No password set

R1#

 

OOPs we didnt configure that. So you have to set passwords for both enable 6 and enable 8.

Mr.C will follow the same procedure, after entering level 4. He will enter -enable 8- to take his level.

In priv 15 dont forget to assign them their respective commands to configure using -privilege- command

But this merely achieves the objective. It is not professional doesnt look good to adopt this way.

So in access-control mechanism, how we differentiate one from another.

 

This is where comes Authentication

 

Authentication is the process of asking you something that only you know and no one else does. What we saw previously was

also no doubt authentication but 4 ppl knew the same password. There is no way for IOS to distinguish Mr.A from Mr.B right ?

So we need something that can tell the IOS that this is MR.A coming, this is MR.B coming and so on

 

We do this by introduction of "username" in the authentication process.

 

"username" as can be seen is the name of the user. Simple !. Mr.A will have its own username, Mr.B will have its own. This

will help IOS know that which user has logged in,

 

Q) What benefit does this gives ? how to introduce username in authentication process ?

A) Benefit will become clear in my example. First how to introduce username.

 

Username is introduced by invoking IOS local user database.

 

Q) OHH, do i have to learn oracle or sql for that ? i am very weak in database ?

A) I can guess that. No you dont need to have any database knowledge for that.

You invoke Local user database by creating an entry. Database is automatically created. Database is nothing but just the

entries you provide :-)

 

For example

 

R1(config)#username Mr.A password Mr-A-cisco123

 

Simple !!

 

Lets take a closer look at the syntax of this command

 

R1(config)#username Mr.A ?

aaa AAA directive

access-class Restrict access by access-class

autocommand Automatically issue a command after the user logs in

callback-dialstring Callback dialstring

callback-line Associate a specific line with this callback

callback-rotary Associate a rotary group with this callback

dnis Do not require password when obtained via DNIS

nocallback-verify Do not require authentication after callback

noescape Prevent the user from using an escape character

nohangup Do not disconnect after an automatic command

nopassword No password is required for the user to log in

one-time Specify that the username/password is valid for only one

time

password Specify the password for the user

privilege Set user privilege level

secret Specify the secret for the user

user-maxlinks Limit the user's number of inbound links

view Set view name

<cr>

 

We may not discuss all the parameters, but we will discuss few of them along the way. Important ones are

 

autocommand

nopassword

one-time

password

secret

privilege

view

 

Q) Why not others ?

A) They are related to services, and i told in start i wont be discussing services !

 

Q) Then why not user-maxlinks. It seems interesting !

A) Yes it seems but its not. This command is used to limit PPP or dialup user to open multi connections with the router. At

 

first i also thought we can use this to prevent a user from opening multi telnet/ssh session with the router but my

 

assumption was wrong. Its only used for PPP and dialup services.

 

Ok now above, we created a simple username with password. But this will not activate "username" prompt as long as you dont

 

instruct the router to use it !!. For this to happen, under line vty 0 4 you must issue -login local- command.

-login local- login for authentication and local to use local database. This will now ask for username in addition to

 

password. Lets try it

 

R1 relevant config

 

 

username Mr.A password cisco123

!

!

 

line con 0

line aux 0

line vty 0 4

privilege level 4

password cisco

login local

 

R2#telnet 10.0.0.1

Trying 10.0.0.1 ... Open

 

 

User Access Verification

 

Username: mr.a

Password:

R1>

 

Ok now certain points to consider.

1) username is not case sensitive. But password is !!!!

2) after -login local-, IOS is no more using line specific parameters. It neither accepted password cisco nor did it assigned

level 4 to the coming user. It simply ignored the line specific parameters as long as you ask IOS to consult local database.

 

Q) But why IOS assigned level 1 to user. Can i change it ?

A) Yes. Like i said in previous tutorial, IOS puts the user by default in level 1 if no other level is explicitly defined.

Now how to define level 4 for Mr.A. Look at the above list, you can see the privilege keyword ;-)

 

Here is the respective configuration done on R1.

 

R1#sh privilege

Current privilege level is 15

R1#conf t

Enter configuration commands, one per line. End with CNTL/Z.

R1(config)#user

R1(config)#username mr.a pri

R1(config)#username mr.a privilege 4

R1(config)#end

R1#

 

R2#telnet 10.0.0.1

Trying 10.0.0.1 ... Open

 

 

User Access Verification

 

Username: mr.a

Password:

R1#sh privi

Current privilege level is 4

R1#

 

Now as you can see. Even when accessing the same username, you can use mr.a instead of Mr.A. So its not at all case sensitive :-).

 

Q) hmm. Is it possible to avoid password in this new type of authentication ? what if i just want to authenticate on the

basis of username and not password ?

A) Yes you can do this using 2 ways

 

1) Simply dont give the password ;-)

 

R1(config)#no username mr.a

R1(config)#username mr.a privilege 4

R1(config)#username mr.b privilege 6

R1(config)#end

R1# sh run | in username

 

username mr.a privilege 4

username mr.b privilege 6

R1#

 

R2#telnet 10.0.0.1

Trying 10.0.0.1 ... Open

 

 

User Access Verification

 

Username: mr.a

Password: (just press enter here since password is not given)

R1#sh privi

Current privilege level is 4

R1# exit

 

R2#telnet 10.0.0.1

Trying 10.0.0.1 ... Open

 

 

User Access Verification

 

Username: mr.b

Password:

R1#sh privi

Current privilege level is 6

R1#

 

2) Other method is to use nopassword keyword, which is quite the same. below is the config

 

R1(config)#username Mr.A privilege 4 nopassword

 

Ok is it clear now how to skip password authentication ?

 

Q) Yes !

A) Now there is one more feature called one-time password. Now this is tricky, although it doesnt seem to be, but it is.

Now just look at what i am doing. First i am deleting the previous username just for simplicity, you can keep it if you want

but just delete mr.a since we are modifiying it for one-time password.

 

R1(config)#no username mr.a

R1(config)#no username mr.b

R1(config)#username Mr.A privilege 4 one-time pas

R1(config)#username Mr.A privilege 4 one-time password ?

0 Specifies an UNENCRYPTED password will follow

7 Specifies a HIDDEN password will follow

LINE The UNENCRYPTED (cleartext) user password

 

R1(config)#username Mr.A privilege 4 one-time password cisco123

R1(config)#

R1(config)#

R1(config)#

R1(config)#end

R1#sh run | in username

username Mr.A privilege 4 one-time password 0 cisco123

 

ok ?

 

Now on R2

 

R2#telnet 10.0.0.1

Trying 10.0.0.1 ... Open

 

 

User Access Verification

 

Username: mr.a

Password:

R1#sh privi

Current privilege level is 4

R1#

 

Now back on R1

 

R1#sh run | in username

R1#

 

See !!. Due to one-time keyword, this username/password combination is used for one time only, after its used, it will be

deleted from RUNNING-CONFIG ONLY. So previously after configuring username, if you have save it to nvram, it will again

appear in running-config after you reload the router. So if your intention is to really use it for one-time then after the

user has logged in for one time, save the configuration now and you will be ok.

 

So which commands are left now !

 

Q) autocommand, view, secret.

A) Secret is same as enable secret. This time the password is given in Md5 hash. Check it out yourself :-).

View is a bit advance topic which i will discuss later. Not in this part

 

So lets talk about autocommand. This command executes any command you like when the user logs in. After executing the command the user logs out automatically. For example if you want a user to just look at the interface status and do nothing else then this could be one way of doing it.

 

Just look below

 

R1(config)#username new-comer autocommand ?

LINE Command to be automatically issued after the user logs in

 

R1(config)#username new-comer autocommand sh ip int brief

R1(config)#end

R1#

 

R2#telnet 10.0.0.1

Trying 10.0.0.1 ... Open

 

 

User Access Verification

 

Username: new-comer

Password: ( just press enter here since i have not given password)

Interface IP-Address OK? Method Status Prot

ocol

FastEthernet0/0 10.0.0.1 YES manual up up

 

FastEthernet0/1 unassigned YES unset administratively down down

 

[Connection to 10.0.0.1 closed by foreign host]

 

AS you can see that connection was closed after showing the result of "sh ip int brief"

 

There is one more keyword -nohangup-. This keyword after executing the "autocommand" will again ask for username/password instead of closing the connection.

 

R1(config)#username new-comer nohangup

R1(config)#end

R1#

 

R2#telnet 10.0.0.1

Trying 10.0.0.1 ... Open

 

 

User Access Verification

 

Username: new-comer

Password:

Interface IP-Address OK? Method Status Prot

ocol

FastEthernet0/0 10.0.0.1 YES manual up up

 

FastEthernet0/1 unassigned YES unset administratively down down

 

 

User Access Verification

 

Username:

 

So far is it ok ?

 

Q) Yes.. so i want to assign each user its specific set of commands, i have to again use -privilege- commands like before ?

A) Yes 100% same way. You just have experience new way of authenticating. Commands usage will be same as before.

 

So far what we have seen was Non-AAA local authentication and perhaps authorization.

 

Q) Where did we see authorization ? you are cheating !!!!!

A) Authorization means what a user can do and what he cant do. So through the usage of

-autocommand-

-privilege- commands we are restricting the users to issue only certain commands of our choice. So in other words we were

controlling what a user can do in his level right ? SO THIS IS CALLED LOCAL AUTHORIZATION. WE ARE CALLING IT LOCAL

AUTHORIZATION BECAUSE WE HAVE USED IOS SPECIFIC COMMANS TO RESTRICT THE USER'S ACCESS. IF WE USE REMOTE AAA SERVER THEN THAT WILL BE CALLED REMOTE AUTHORIZATION.

 

Q) ok got it. So whats now ? are we EVER going to play with AAA or not ?

A) Yes you will and perhaps today... NOW !!!

 

You have got all the basic background of local authentication and authorization. Still if you have any questions regarding

anything thing i have discussed, just highlight it and let me know.

Now the main part starts.

How to use AAA in cisco IOS.

In this part i will be discussing essentially only authentication and authorization. Accounting will be discussed when i will

explain ACS 3.3 or 4.x. again if life permits.

Note:From here onwards i will be discussing only local authentication/authorization.

At this point, i was thinking, do i really need to ADD AAA to my configuration when i can do all the stuff without needing

AAA ? What local AAA really provides me ?

 

To be honest, local AAA provides nothing !!!. If i am not using an AAA server, then you are fine without even thinking about

 

AAA at all ;-).

 

Now i am quite sure that experts can simply jump in and can call me ....., ....., ...... (fill in the blanks ;-)). But

 

REMEMBER THE CONTEXT I AM TALKING ABOUT. WE ARE TALKING ABOUT AAA FOR AUTHENTICAION AND AUTHORIZATION OF USER LOGIN ONLY.

 

Ofcourse local AAA can play an important role when it comes for services like easy-vpn, dot1x and all. but since we are not

discussing them, so i can safely live with the comment i gave above ;-)

AAA commands in IOS are configured in global mode. There are some line configuration commands for aaa also but main

configuration is done from global config mode. By default aaa is disabled. if you do show running-config, you shall see

-no aaa new-model-

 

Q) Why its called new-model ? are there any other models as well ?

A) Was this another attempt to prove your intelligence ?

 

Q) No... just asking

A) You can take it more of a syntax. This command enables AAA. Without this all AAA commands are hidden/non-acitvated. You cant configure any aaa commands if you have not issued -aaa new-model-.

So to enable AAA, just enter this on router global config mode

 

aaa new-model

 

R1(config)#aaa ?

new-model Enable NEW access control commands and functions.(Disables OLD

commands.)

 

R1(config)#aaa new-model

R1(config)#aaa ?

accounting Accounting configurations parameters.

attribute AAA attribute definitions

authentication Authentication configurations parameters.

authorization Authorization configurations parameters.

cache AAA cache definitions

configuration Authorization configuration parameters.

dnis Associate certain AAA parameters to a specific DNIS number

group AAA group definitions

local AAA Local method options

max-sessions Adjust initial hash size for estimated max sessions

memory AAA memory parameters

nas NAS specific configuration

new-model Enable NEW access control commands and functions.(Disables

OLD commands.)

pod POD processing

route Static route downloading

session-id AAA Session ID

session-mib AAA session MIB options

traceback Traceback recording

user AAA user definitions

 

R1(config)#aaa

 

First we will play with authentication. Trust me, in most books and docs, you will find bits n pieces spread around. When you

will experience something ODD in aaa, you can simply hit your head on wall because i doubt any book will help you on this.

this is the most important part so read it very carefully from here.

 

There are 3 main keywords after -aaa-

1) Authentication

2) Authorization

3) Accounting

 

Lets explore Authentication.

 

Authentication using AAA:

 

What authentication achieves is same we did before. Using AAA authentication, router will prompt you for username/password

combination for the mode/service user wants to access and verify it according to methods listed afterwards. Its a bit

confusing so lets check the syntax

 

R1(config)#aaa authentication ?

arap Set authentication lists for arap.

attempts Set the maximum number of authentication attempts

banner Message to use when starting login/authentication.

dot1x Set authentication lists for IEEE 802.1x.

enable Set authentication list for enable.

eou Set authentication lists for EAPoUDP

fail-message Message to use for failed login/authentication.

login Set authentication lists for logins.

password-prompt Text to use when prompting for a password

ppp Set authentication lists for ppp.

sgbp Set authentication lists for sgbp.

username-prompt Text to use when prompting for a username

 

When you will be requiring authentication ?

 

Ok now, this question is important. Ideally you require two step authentication.

1) when you login to router. You normally would land on privilege 1. This approach is followed widely.

2) When you try to access privilege level 15. also called enable mode.

 

Now to keep record straight, you can have 1 step login, by allowing yourself to jump directly to level 15. Or land yourself

by default to level 4(its just random) and from there move to level 15. So in practical, play anyway you like. But to follow

the general and recommended approach we will follow 2-step authentication as defined above.

 

Lets consider the first step when you try to login to router via

1) Console port

2) Telnet/SSH

 

And by default land at priv level 1.

 

Using AAA authentication for this step, since its the "login" step, we will use the keyword -login-, simple !!!

 

R1(config)#aaa authentication login ?

WORD Named authentication list (max 31 characters, longer will be

rejected).

default The default authentication list.

 

What you are seeing above is called name of method-list. So what is method-list ?

 

There are 3 ways you can perform authentication.

1) Using line passwords that you configure under lines. like this

line vty 0 4

password cisco

 

2) Using local database ( using username entries we created above ). Like this

R1(config)#username admin password cisco

 

3) Using remote AAA server (either running radius or tacacs)

 

Now what will happen if we have configured all of them on router at the same time. Like this

 

R1#sh running-config

 

(output ommitted for simplicity)

 

username Mr.A password Cisco123

!

!

Line vty 0 4

password cisco

!

!

!

"Configuration for remote server"

....

....

....

!

!

 

So now, when the user telnets, which password shall it use ?

 

Line password ?

username password ?

external server ?

 

So which one you will use first ? external server or local database or line password ? to define this sequence we use

 

method-lists, SIMPLE !!!

Why its called method-list then ? basically we can re-write the above statements like this

 

There are 3 METHODS you can use to perform authentication.

1) Using line passwords that you configure under lines. like this

line vty 0 4

password cisco

 

2) Using local database ( using username entries we created above ). Like this

R1(config)#username admin password cisco

 

3) Using remote AAA server (either running radius or tacacs)

So method list simply define the sequence in which either external or local databases are checked.

 

Ok now. did you understand the meaning of method-lists ?

 

Q) Yes. But you said, they define the sequence so what does this means ? what does this sequence implies ?

A) See. Lets say, i configure a method-list like this

1) Consult AAA server

2) Consult local database

 

Over here i have defined a sequence. 1st AAA server will be asked to perform authentication. If we dont get ANY ANSWER FROM

 

AAA server, ONLY then the next method which is in our case local database is consulted to perform authentication.

 

Q) What you mean by dont get any answer from AAA server ? what does this means ?

A) Over here, i am assuming you already know something about Radius and Tacacs protocol. When IOS needs to talk to AAA server like ACS 3.3, it needs some language/protocol to send and recieve information. This language/protocol will be either Radius or tacacs. Tacacs is cisco proprietry. Lets assume i have decided to use tacacs protocol and i have configured ACS 3.3 as well to use tacacs protocol. Then what will happen when a user tries to login

1) Router will ask for username/password

2) user enters it

3) Router will send both these username/password to AAA server using tacacs protocol as defined in our configuration.

Now either of the below 3 situations can happen

a) If AAA server (ACS 3.3) has an entry for this username/password, it will return "PASS" to Router, allowing him to

sucessfully authenticate the user.

B) If AAA server (ACS3.3) doesnt have this username/password, it will return "FAIL" to router, restricting him NOT to

authenticate the user.

c) NO response is received from AAA server in a predefined time. This can happen due to

1) AAA server is down.

2) AAA server having some issue and is not able to reply to router query (again some hardware of software issue)

3) Router's WAN link to AAA is having some issue. in this case AAA might be up but since router is not able to reach it

due to link issues.

So if router is not able to talk to AAA for certain amount of time, it will consider this an "ERROR". ONLY IF THIS ERROR

OCCURS, ONLY AND ONLY THEN ROUTER WILL MOVE TO NEXT METHOD, LIKE IN OUR CASE IT WILL CONSULT ITS LOCAL DATABASE TO LOOK FOR THIS USERNAME/PASSWORD ENTRY, SINCE AAA IS NO LONGER RESPONDING.

 

Q) What if i receive "FAIL" ? whats the difference b/w FAIL and ERROR ?

A) FAIL means router RECEIVED response from ACS which is telling router NOT TO AUTHENTICATE. ERROR means router DIDNT GET ANY RESPONSE FROM ACS so now it must look for the next method of authentication in the list, which in our example is local database.

 

Q) The next method always have to be local database ?

A) NO you can simply use any sequence you like. There is no restriction in this. you could have used line password instead.

 

Q) But you didnt use line password even as the third method ?? Why ? are there only 2 methods allowed at a time ?

A) Now i must say you are indeed intelligent. yes i used local database for a purpose. If i have to classify methods (line,

local, external) as to which is more secure then other then i would say

1) line password is least secure

2) Local database is more secure

3) external database is more secure then either.

 

Q) How have you classified them ?

A) Suppose you are just using line password for authentication. You have 5 users each has access to different privi levels.

Then you already know i can have only 1 line password at a time. So i have to give this password to all of them to login to

first intial level and then move on to their respective level.

In case of username/password, only the administrator and the user knows about this password combination. Suppose you created

Mr.B username and Mr.C username. Who will be knowing Mr.B username besides him ? only you but not MR.C as long as MR.B doesnt tell MR.C about his password. But its still not that secure since anyone who gets his hand on running-config/startup-config can easily look at the passwords.

 

Q) Nope not at all, you are wrong !! see i get you. If i am using -secret- keyword afer username and not -password- then my

password will be save as Md5 hash. Now no one can know what is my real password isnt it ?

A) Yes you got me there. You are 100% right. But who will be seeing this username/password combination, will surely have

access to configure it as well dont he ?

 

Q) what do you mean ?

A) In previous tutorial i said, in any priv level if you are granted access to show running-config, you will only see those

parameters that you are ALLOWED to configure, so if any one is doing show running-config and he happens to see

username/password line in the result then it means that he can also configure it right ? so he simply will change the

password, use that username to enter the router, do malicious activity and leave safely. So that is one of the reason i am

saying that local database is secure but not as secure as external database.

 

Q) ok now i got it. now back to method lists. if i define the sequence, DOES IT HAS to be same for all the lines ? like for

console, aux, vty shall follow the same method sequence or it can be different for each of them ?

A) Yes it can be different for each of them.

 

Q) Can the sequence be different for each vty lines as well ?

A) Yes sure, the sequence can be different for each vty lines as well :-).

 

Q) How to do this ?

A) Let me continue then....

 

Q) I didnt stopped you, why are you saying like this ?

A) OK OK, i got it.

 

So far i am quite sure the use of method lists is clear. it will become more clear as we proceed further. now lets look at

the syntax again

R1(config)#aaa authentication login ?

WORD Named authentication list (max 31 characters, longer will be

rejected).

default The default authentication list.

 

R1(config)#aaa authentication login

 

Remember, like access-lists, route-maps, these method lists also must be applied to LINES as well. Now you have 2 options

here. To use default or define your own name. So whats the difference in these two ?

1) Default method list is automatically applied to all lines. !!! Just define this method list and it will be applied to all

lines. It saves you extra config if you want ALL YOUR LINES TO USE THE SAME LIST OF METHODS.

2) If lets say you want different method list (sequence of method) for lets say line con 0 and line vty 0 4 like below

a) Use only line password for line console 0

B) Use external database and in case of ERROR use local database for vty lines.

 

So first lets make a method list for line con 0

R1(config)#aaa authentication login for-console line

 

Now apply this method list inside line con 0 like this

R1(config)#aaa authentication login for-console line

R1(config)#line con 0

R1(config-line)#login authentication ?

WORD Use an authentication list with this name.

default Use the default authentication list.

 

R1(config-line)#login authentication for-console

R1(config-line)#

 

Now for line vty 0 4

R1(config)#aaa authentication login for-vty grou

R1(config)#aaa authentication login for-vty group ?

WORD Server-group name

radius Use list of all Radius hosts.

tacacs+ Use list of all Tacacs+ hosts.

 

R1(config)#aaa authentication login for-vty group tac

R1(config)#aaa authentication login for-vty group tacacs+ ?

enable Use enable password for authentication.

group Use Server-group

krb5 Use Kerberos 5 authentication.

line Use line password for authentication.

local Use local username authentication.

local-case Use case-sensitive local username authentication.

none NO authentication.

<cr>

 

R1(config)#aaa authentication login for-vty group tacacs+ lo

R1(config)#aaa authentication login for-vty group tacacs+ local

R1(config)#line vty 0 4

R1(config-line)#login authentication for-vty

R1(config-line)#

 

Task completed !!!. This is just to give you a small snippet of how things are done. What is this -line-, -group-, -tacacs-

keyword lets see now

 

R1(config)#aaa authentication login for-vty ?

enable Use enable password for authentication.

group Use Server-group

krb5 Use Kerberos 5 authentication.

krb5-telnet Allow logins only if already authenticated via Kerberos V

Telnet.

line Use line password for authentication.

local Use local username authentication.

local-case Use case-sensitive local username authentication.

none NO authentication.

passwd-expiry enable the login list to provide password aging support

 

Now see here,

 

-Line- if you set this as method, router will prompt for line password. Make sure you have configured line password under

line con 0 or else you will be blocked, since you didnt defined any other method in case of error from the previous method

!!!

-local- if you set this as method, router will prompt for username/password. If the entry is not present then this will

always result in FAIL and not error because there is no communication error, the username is simply not present !!!. If you

dont define any username, then YOU ARE BLOCKED, SINCE ROUTER HAS NO REASON TO FALL TO OTHER METHOD, BECAUSE IT CANT GET ERROR FROM THIS LOCAL DATABASE REMEMBER !!!!! FROM LOCAL DATABASE EITHER IT WILL BE PASS OR FAIL. NO ERROR NOTHING ELSE !!!

-group- This defines the external AAA server like ACS 3.3. Now if you want to use tacacs protocol to communicate with ACS,

then after making necassary configuration on ACS and IOS, you choose tacacs after -group- keyword. like this

 

R1(config)#aaa authentication login for-vty group ?

WORD Server-group name

radius Use list of all Radius hosts.

tacacs+ Use list of all Tacacs+ hosts.

 

R1(config)#aaa authentication login for-vty group tacacs+ ?

enable Use enable password for authentication.

group Use Server-group

line Use line password for authentication.

local Use local username authentication.

local-case Use case-sensitive local username authentication.

none NO authentication.

<cr>

 

Now our next fall-on method should be local database in case of ERROR from remote server. So it will be

 

R1(config)#aaa authentication login for-vty group tacacs+ local ?

enable Use enable password for authentication.

group Use Server-group

line Use line password for authentication.

none NO authentication.

<cr>

 

But since i dont want to configure any other method i will simply end it here.

 

Now so far it was just like creating access-lists. As you know access-list by themselves dont do anything. You need to apply

them on interfaces/lines to perform your desired filtering right ? Same is the case here. You will need to APPLY these method

lists only on LINES (remember not interfaces) for them to take affect.

 

Following is the complete relevant configuration

 

R1#sh running-config

 

!

aaa new-model

!

!

aaa authentication login for-console line

aaa authentication login for-vty group tacacs+ local

!

aaa session-id common

 

line con 0

logging synchronous

password cisco

login authentication for-console

line aux 0

line vty 0 4

login authentication for-vty

 

Now whenever a user comes via console port he/she will only need to know line password. Remember if for some reason you are not able to telnet/ssh the router and have to resort back to console, but either you forgot the password or didnt configured

 

it at all, then your are blocked. In that case you need to carry out the password recovery procedure...

 

Any question ?

 

Q) Yes, in the last snippet when you did "?" among others there is also -enable- there !!. What is -enable- doing here ? i

 

though enable means accessing levels not logging in the router. I am really confused !

A) A very nice catch. See IOS also provides you the facility that you can use enable password to LOGIN AS WELL. Now remember, this is just a feature, it doesnt makes an obligation to use it as well in real life :-). But for understanding lets see how it works.

 

R1(config)#aaa authentication login for-vty enable

R1(config)#enable password cisco

 

Now as you can see that i am using only one method here to authenticate i.e. -enable-. (Remember i have already applied this

method-list above)

 

Now when from R2 i telnet to R1

 

R2#telnet 10.0.0.1

Trying 10.0.0.1 ... Open

 

 

User Access Verification

 

Password:(cisco)

 

R1>enable

Password:(cisco)

R1#

 

I hope this is clear so far.

 

Q) When i used enable password, which level i was put in when i logged in ?

A) You logged in to default level of 1. You can change it like we did before. Try it yourself ?

 

Q) Cant you show it !!!!!!

A) NOOOOOOOO !

 

Q) But why ? why i am taking the class for ?

A) Yeah ...... right !

 

Q) Ok fine.. I have one more confusion. When i wanted to use remote server, i just mentioned the protocol like tacacs,

nothing else, is it sufficient for router to talk to remote server ? i mean we havent gave the IP of tacacs server and

nothing so how was router able to talk to AAA server. I think it will always return ERROR. !!

A) There you go. Nice catch again. I didnt show AAA server configuration for simplicity purpose. But you are right, if that

is my SOLE CONFIG then router will always get ERROR for every query since we havent defined the IP of tacacs/radius server.

Below is the required configuration for lets say tacacs server (ACS 3.3 but using Tacacs protocol to authenticate/authorize

users)

 

tacacs-server host 10.1.10.109 key cisco321

 

If you do "?" after tacacs-server you will see other options but this is the minimum requirement to configure it properly.

I havent described the usage of -local-case- command, this is quite self explanatory, try it out yourself !

 

Q) AGAIN !!!

A) This is not a spoon feeding class, may i remind you !!

 

Q) But so far you have done nothing but spoon feeding !!!!

A) Ahhhh, so is it good or bad ?

 

Q) I dont know

A) Yeah ..... right !

 

Now so far we have seen authenticating users when they try to login to router via console or telnet/ssh. We can also perform

authentication when users tries to MOVE UP to certain higher level. For simplicity i will keep it to level 15.

 

Q) Is it necassary that i have to do authentication for level 15 through AAA ?

A) No. You can use local enable password like you did before. But if you are using remote server then its better to use

remote authentication for level 15 also. But again its not mandatory.

 

Q) If i am not using remote server at all then ?

A) Then see below...

 

R1(config)#aaa authentication enable ?

default The default authentication list.

 

R1(config)#aaa authentication enable

 

As you can see, there is no option to define your own method list !!!. Why ? Because

 

1) We can only apply method-lists on lines

2) Lines are used ONLY AND ONLY FOR LOGIN TO ROUTER.

 

So lines have nothing to do with enable password !! why ? because you will be asked for enable password when you type in

 

-enable- and where do you type this ?

on router cli

which means you have successfully login to router right ?

YES !!

so once you are logged in to router, function of lines is quite over ;-). Thats why for enable password you dont need lines

which mean no method lists ;-)

 

Q) Ohh i see

A)

 

R1(config)#aaa authentication enable default ?

enable Use enable password for authentication.

group Use Server-group

line Use line password for authentication.

none NO authentication.

 

R1(config)#aaa authentication enable default

 

-enable- option means used local enable password configured as

1) enable password cisco

2) enable secret cisco

 

-group- same as for login authentication. This will ask you for tacacs/radius and then again ask for FALL-on method.

-line- you can use line password for getting to level 15. Again this is just a feature provided. But this one is tricky

which line password will you use when you have 3 types of lines available,

1) Console

2) AUx

3) Vty

 

Any idea ?

 

Q) Not at all

A) I am not surprised.

 

Q) What do you mean ?

A) Nothing at all.

 

If this is my configuration for example

 

R1(config)#aaa authentication enable default line

 

Then router will consider THAT LINE'S PASSWORD THROUGH WHICH THE USER LOGGED IN ;-) CONFUSING ?

 

See the following configuration which we have done so far

 

R1# sh running-config

!

!

aaa new-model

aaa authentication login for-console line

aaa authentication login for-vty group tacacs+ local

aaa authentication enable default line

 

enable password ciscoenable

username cisco password cisco

 

line con 0

password passconsole

login authentication for-console

 

line vty 0 4

password passvty

login authentication for-vty

 

Now from R2

 

R2#telnet 10.0.0.1

Trying 10.0.0.1 ... Open

 

 

User Access Verification

 

Username: cisco

Password: (cisco)

 

R1>en

Password:(passconsole)

% Access denied

 

R1>en

Password:(ciscoenable)

% Access denied

 

R1>en

Password:(passvty)

R1# sh privi

Current privilege level is 15

R1#

 

Now if you would have come via console, then for enable you would have to give line console password to move to level 15.

 

Practice it and it will make more sense. In case of any confusion just let me know.

 

Authorization:

 

Ok lets start with authorization via local AAA.

 

Q) ATLAST !!!!

A) Ok now. Local AAA authorization can prove to be a very complicated maze. If you are lost, it becomes really difficult to

find your way out. Atleast that what happened to me. So i will highly recommend follow my approach to get solid understanding of what actually happens with authorization.

 

I will divide this part in further 2 categories. One when we are NOT using local database(username/password), and second when we are using local database

 

1- Local AAA authorization without Local database.

 

There are 3 types of authorization (again the context is when user is accessing router for login purpose)

 

Exec- This relates to whether user (like Mr.A) is ALLOWED to get a shell(cli) prompt or not !!!

Commands- This relates to whether user is allowed to run commands of the level given in the syntax of this command. ( didnt

get a word of what i mean ? dont panic, everything will be crystal clear when we get to this command)

config-command- I will skip the definition for now. We will discuss it later in this part.

 

Now lets just see the syntax

 

R1(config)#aaa authorization exec ?

WORD Named authorization list.

default The default authorization list.

R1(config)#aaa authorization exec

 

Its the same method list as we discussed in authentication part. Default is applied to all lines by default. If you want to

define a particular method list for lets say VTY lines, just give the name you like and then apply it under line vty. Much

like the same as we did in authentication. Nothing different here.

 

R2(config)#aaa authorization exec default ?

group Use server-group.

if-authenticated Succeed if user has authenticated.

krb5-instance Use Kerberos instance privilege maps.

local Use local database.

none No authorization (always succeeds).

 

R2(config)#aaa authorization exec default

 

Over here

 

-group- again means referring to Radius/Tacacs+ server to perform authorization

-if-authenticated- This means if the user is authenticated, just grant him the exec session.

-local- Check local database(username/password) for authorzation.

 

Now over here, if-authenticated is a bit interesting option, not always clear what it actually does. So we will explore it.

 

Now in my scenario these are the following config

 

R1#sh running-config

 

!

aaa new-model

aaa authentication login default line

aaa authorization exec default local

 

line vty 0 4

password cisco

 

!

 

Over here i am telling IOS to perform authorization for exec as to whether the coming user should get cli prompt or not !!

based on local database which is not present ;-). Lets see what happens !

 

R2#10.0.0.1

Trying 10.0.0.1 ... Open

 

 

User Access Verification

 

Password:

% Authorization failed.

 

[Connection to 10.0.0.1 closed by foreign host]

R2#

 

OOPs what i did wrong ?

 

Q) You entered the wrong password, i got you, i got you !!!

A) Nope, look at the error i have received.

% Authorization failed.

 

This means i passed authentication, but IOS didnt authorized me to open a cli prompt !!!. Lets get a bit deeper this time and

run debug command to see actually what happened. Lets do it again.

 

R1# debug aaa authorization

 

From R2

 

R2#10.0.0.1

Trying 10.0.0.1 ... Open

 

 

User Access Verification

 

Password:

% Authorization failed.

 

[Connection to 10.0.0.1 closed by foreign host]

R2#

 

On R1 !

R1#

*Mar 1 00:07:36.087: AAA/BIND(00000004): Bind i/f

R1#

*Mar 1 00:07:38.115: AAA/AUTHOR (0x4): Pick method list 'default' - FAIL

*Mar 1 00:07:38.127: AAA/AUTHOR/EXEC(00000004): Authorization FAILED

R1#

 

Now the debug message is not clear to be honest. It says that it picked method-list named default, but it failed. Actually it

didnt failed, it was KINDA ERROR. Now this may sound confusing but in authentication absence of username meant a FAIL not an ERROR, in authorization absence of username is considered an ERROR.

 

Q) I am confused. What if i give username/password then ?

A) Nice catch. Lets give it and see what happens

 

The configuration on R1 will remain same and i will add the following config to it

 

R1(config)#username Mr.A privilege 4 password cisco

 

now from R2

 

R2#10.0.0.1

Trying 10.0.0.1 ... Open

 

 

User Access Verification

 

Password:

% Authorization failed.

 

[Connection to 10.0.0.1 closed by foreign host]

R2#

 

See, nothing different happened even after the addition of username. Why ! because we are not using local database to perform authentication, Mr.A didnt use Mr.a username to authenticate to router thats why authorization cant be performed based on local database. To further clarify this point suppose i have 5 username/password in my database. Which one will be used for authorization when authentication was done on line password ??? Can you see the confusion, since no username is associated with authentication or in other words router DOESNT know which user from local database has logged in to router, it cant perform authorization based on username basis !! since it doesnt know which username to associate the coming user with

because user is not supplying username at the time of authentication so every user who enters the router using line password

are treated equal !!!. Thats why local authorization will return ERROR !!!!!.

 

Q) Ohh, its a bit clear now. So what shall we do when we dont have local database, i can see creating local database is of no

use here since user is not supplying username at the time of login !

 

A) Well, in case we dont have local database to help in authorization and as we know that we have got an ERROR (though not

displayed in debug) IOS will fall to next method in "default" list which is nothing in our case, thats why IOS didnt had any

last resort left. To avoid this situation lets configure 2 possibilities

 

R1(config)#aaa authorization exec default local none

 

With -none- option it means that no authorization is needed JUST AUTHORIZE THE USER FOR HEAVEN'S SAKE !!. This is enough to scare anyone as well IOS thats why IOS will authorize the user ;-). Lets see

 

On R2

 

R2#telnet 10.0.0.1

Trying 10.0.0.1 ... Open

 

 

User Access Verification

 

Password:

 

R1>

 

On R1

 

R1#deb aaa authorization

AAA Authorization debugging is on

R1#

*Mar 1 00:05:49.631: AAA/BIND(00000004): Bind i/f

R1#

*Mar 1 00:05:51.311: AAA/AUTHOR (0x4): Pick method list 'default' - PASS

*Mar 1 00:05:51.319: AAA/AUTHOR/EXEC(00000004): processing AV cmd=

*Mar 1 00:05:51.323: AAA/AUTHOR/EXEC(00000004): Authorization successful

R1#

 

As you can see this time authorization is successful. Now depending on different views, -none- may not be a very preferred

option. Since it forces the router to authorize the user if other methods failed. In a case like this, it doesnt matter much,

its much like equal to not enabling authorization !!!.

 

Another option is -if-authenticated-. This option is ALOT CONFUSING. Here is a proof of concept.

 

Before reading any further, just try to figure out the practical difference between -none- and -if-authenticated- option and

i am quite sure you will not be able to find it. It took me quite some time to figure out the difference. Lets see

 

R1(config)# aaa authorization exec default local if-authenticated

 

now from R2

 

R2#telnet

*Mar 1 00:57:13.591: %SYS-5-CONFIG_I: Configured from console by console

R2#telnet 10.0.0.1

Trying 10.0.0.1 ... Open

 

 

User Access Verification

 

Password:

 

R1>

 

Ok now, i wont be discussing the difference now. Just a few points and then we will explore it.

We observed authorization without local database. Lets now use local database.

 

R1(config)#username Mr.A privilege 4 password cisco

Now looking at my previous config i have authentication using line passwords only, therefore authorization cant happen on

local database. See the relation between authentication and authorization ? KEEP THIS FACT IN MIND, IT WILL HELP YOU AVOID CONFUSIONS IN FUTURE. AUTHORIZATION IS TIGHTLY BINDED WITH AUTHENTICATION. AS YOU CAN SEE ABOVE.

So now since we want authorization to be based on username, we must also enable authentication via local database also,

because if we dont and user logged in without supplying username, then router will not have any idea to use which username

for authorization and hence will produce error and fall on to next method during authorization.

 

R1(config)#aaa authentication login default local line

 

now lets see

 

from R2

 

R2#telnet 10.0.0.1

Trying 10.0.0.1 ... Open

 

 

User Access Verification

 

Username: mr.a

Password:

 

R1#sh privilege

Current privilege level is 4

R1#

 

now lets understand the authorization command again

 

aaa authorization exec default local

 

this command is telling IOS

 

When user logs in (i.e. authenticated) allow him cli prompt based on the information of the username user supplied.

User supplied Mr.A so the cli prompt he got (or authorized to get) was privilege level 4.(configured in that command, look

above)

Hence authorization is successful.

 

Ok lets see how if-authenticated is different from -none-. Now read carefully with your mind clear

 

-if-authenticated- means if user was AUTHENTICATED IN THE PREVIOUS AUTHENTICATION STEP, THEN THROW HIM THE PRIVILEGE LEVEL ASSIGNED UNDER LINE VTY 0 4(BY DEFAULT ITS LEVEL 1)

 

Q) I dont get it. Authorization always happens after authentication, you said that yourself !, so what is the sense of -if-authenticated- if this line is going to be checked after authentication is successfull !! i really dont get it.

A) This is because you are forgetting one minor detail. We can skip AAA authentication ;-)

 

Q) What ? How ? Why ?

A) See the following command

 

R1(config)# aaa authentication login default none

 

What does this command achieves ? instead of defining any method (like local, line) i simply wrote none, which means no authentication ;-). Lets configure the above statement and delete all previous authorization statements for now and see what happens

 

From R2

 

R2#telnet 10.0.0.1

Trying 10.0.0.1 ... Open

 

R1>

 

See, nothing was asked. nor username nor password. Authentication didnt happen. So far so good. Lets configure authorization now using -none- first

 

R1(config)# aaa authorization exec default none

 

From R2

 

R2#telnet 10.0.0.1

Trying 10.0.0.1 ... Open

 

R1>

 

See, nothing happened, since -none- means no authorization is performed. By default you can assume this command is run by default thats why when we dont configure authorization we are always authorized to run all commands of the level we got.

 

Now lets use -if-authenticated-

 

R1(config)# aaa authorization exec default if-authenticated

 

From R2

 

R2#telnet 10.0.0.1

Trying 10.0.0.1 ... Open

% Authorization failed.

 

[Connection to 10.0.0.1 closed by foreign host]

R2#

 

See, since user was not AUTHENTICATED in authentication step, AUTHORIZATION will also fail if method list FALLS ON to -if-authenticated- option. So keep in mind this important fact. Also note that if you supply -if-authenticated- option, there are no further options you can select for fall-on. This is always the terminating method.

 

I hope by now the difference is quite clear !

 

Q) Yeah ....... Sorry what did you said ?

A) I think you need a break

 

Q) SO KIND OF YOU, CAN YOU HELP ME WALKOUT THE ROOM, I FEEL I WONT BE ABLE TO WALK !

A) Why ?

 

Q) BECAUSE OF THE HEADACHE !!!!!

A) Yeah...... Right !

 

Authorization is not completed yet. We will meet in next part. That part wont take long. Max by saturday i will post it. Thanks for your patience once more. Do provide your feedback.

Edited by pappyaar
1

Share this post


Link to post
Share on other sites
Dear Thead, thanks for nice comments :-). I will try my level best that future tutorials are more entertaining and worth reading.

 

Now regarding your question, i am assuming that you have atleast configured both of them once.

 

Both of them are used to provide restricted access to users. Having said this, the restriction process is somewhat cumbersome in case of privilege levels. Every privilege level consists a default set of commands. Now lets say you want to give a user very restricted access so that he can do only the following commands

 

1) show ip int brief

2) show interfaces

3) show version

4) sh ip route

 

Now before views were there, i could simply do this in 2 ways

1) assign user to level 0 and with privilege commands assign above 4 commands to user. This is perhaps the best way.

2) Assign user to some other level, use a long list of privilege commands to remove all other commands then add the above 4 commands.

 

Now remember, without AAA server, this had to be done and was done in past. Views have some advantage over privilege becoz each view starts empty !!. There are usually 2 or 3 default commands like enable , exit, show. Now you can fill this view by adding commands to this view through view config mode.

This gives rather more control to administrator in assigning rights (which commands to execute) to users.

 

Which shall you use if it comes to restrict users access ?

Views are bit advance in the sense that they give you easy configuration as to which command you want to add and which to exclude. But to be honest i didnt find the difference to be very appealing. I mean i can almost achieve the same level without using views as well.

 

Keep in mind all the above discussion was for cli based views and not lawful intercept views.

 

 

pappyaar

 

I'm a bit confused, as far as I know that if you use a command in a privilege level, say level 4, that command will not be available to be used in another privilege level. But if you create a view, the same command can be used in multiple views and then you can combine different views into super views (Obviously not necessary). What I'm getting at is that you explained that you can use a specific command in multiple privilege levels...this s a bit confusing for me, can you explain??

 

2

Share this post


Link to post
Share on other sites
pappyaar

 

I'm a bit confused, as far as I know that if you use a command in a privilege level, say level 4, that command will not be available to be used in another privilege level. But if you create a view, the same command can be used in multiple views and then you can combine different views into super views (Obviously not necessary). What I'm getting at is that you explained that you can use a specific command in multiple privilege levels...this s a bit confusing for me, can you explain??

 

Dear Casperv, dont be confused. See, there is a rule regarding commands in the privilege levels.

 

If a command's DEFAULT level is x then that command will automatically be present in all levels above x as well. Now let me give you an example of a command lets say ping.

 

If you are in level 0, this command is not present. Lets see

 

On R1

 

R1#disable 0

R1>?

Exec commands:

call Voice call

disable Turn off privileged commands

enable Turn on privileged commands

exit Exit from the EXEC

help Description of the interactive help system

logout Exit from the EXEC

 

R1>

 

You can "ping" command is not here. Now there are two ways to find the default level of any given command. The most feasible one is the following command

 

R1# show parser dump exec | in ping

 

Output omitted ---

1 ping vrf <string> ipx

1 ping vrf <string> srb

1 ping vrf <string>

1 ping

 

So the default level of "ping" command is 1. Now lets log on to level 1

 

R1#disable 1

R1>sh privi

Current privilege level is 1

R1>?

Exec commands:

access-enable Create a temporary Access-List entry

access-profile Apply user-profile to interface

call Voice call

clear Reset functions

connect Open a terminal connection

crypto Encryption related commands.

disable Turn off privileged commands

disconnect Disconnect an existing network connection

enable Turn on privileged commands

exit Exit from the EXEC

help Description of the interactive help system

lat Open a lat connection

lock Lock the terminal

login Log in as a particular user

logout Exit from the EXEC

modemui Start a modem-like user interface

mrinfo Request neighbor and version information from a

router

mstat Show statistics after multiple multicast tracer

mtrace Trace reverse multicast path from destination t

name-connection Name an existing network connection

pad Open a X.29 PAD connection

ping Send echo messages

ppp Start IETF Point-to-Point Protocol (PPP)

release Release a resource

renew Renew a resource

resume Resume an active network connection

rlogin Open an rlogin connection

set Set system parameter (not config)

 

Do a "?" here and you can see ping here. Now as per definition i gave above, "ping" command will be available from Level 1(default level of ping) to above levels upto 15. Now lets say i want ping only to be available to level 15. What i will do ? i will simply change the default level of ping from its default level !!

 

See

 

R1(config)#privilege exec level 15 ping

R1(config)#end

R1#

R1#disable 1

R1>ping

Translating "ping"

 

Translating "ping"

 

% Unknown command or computer name, or unable to find computer address

R1>sh privi

Current privilege level is 1

R1>

 

See, Now again. If i change the privilege level of a command, IT WILL BE AVAILABLE on THAT LEVEL and HIGHER LEVELS but NOT BELOW LEVELS. Since here i changed the level of ping from its default of 1 to 15, you will not find ping command on any level below 15 now !!

 

I hope this clears. If i am not wrong, you just focus on my post with thead. I highly recommend going through my tutorial to further clear all your confusions. This doesnt mean dont ask anything, ask as much as you like, i will try my level best to answer them :-)

 

Note: The command show parser dump exec is not affected at all by the privilege command. So you will always see IOS defined default level of commands. If you modify the privilege level of any command, it will not be reflected in show parser.

Edited by pappyaar
1

Share this post


Link to post
Share on other sites
Dear Casperv, dont be confused. See, there is a rule regarding commands in the privilege levels.

 

If a command's DEFAULT level is x then that command will automatically be present in all levels above x as well. Now let me give you an example of a command lets say ping.

 

If you are in level 0, this command is not present. Lets see

 

On R1

 

R1#disable 0

R1>?

Exec commands:

call Voice call

disable Turn off privileged commands

enable Turn on privileged commands

exit Exit from the EXEC

help Description of the interactive help system

logout Exit from the EXEC

 

R1>

 

You can "ping" command is not here. Now there are two ways to find the default level of any given command. The most feasible one is the following command

 

R1# show parser dump exec | in ping

 

Output omitted ---

1 ping vrf <string> ipx

1 ping vrf <string> srb

1 ping vrf <string>

1 ping

 

So the default level of "ping" command is 1. Now lets log on to level 1

 

R1#disable 1

R1>sh privi

Current privilege level is 1

R1>?

Exec commands:

access-enable Create a temporary Access-List entry

access-profile Apply user-profile to interface

call Voice call

clear Reset functions

connect Open a terminal connection

crypto Encryption related commands.

disable Turn off privileged commands

disconnect Disconnect an existing network connection

enable Turn on privileged commands

exit Exit from the EXEC

help Description of the interactive help system

lat Open a lat connection

lock Lock the terminal

login Log in as a particular user

logout Exit from the EXEC

modemui Start a modem-like user interface

mrinfo Request neighbor and version information from a

router

mstat Show statistics after multiple multicast tracer

mtrace Trace reverse multicast path from destination t

name-connection Name an existing network connection

pad Open a X.29 PAD connection

ping Send echo messages

ppp Start IETF Point-to-Point Protocol (PPP)

release Release a resource

renew Renew a resource

resume Resume an active network connection

rlogin Open an rlogin connection

set Set system parameter (not config)

 

Do a "?" here and you can see ping here. Now as per definition i gave above, "ping" command will be available from Level 1(default level of ping) to above levels upto 15. Now lets say i want ping only to be available to level 15. What i will do ? i will simply change the default level of ping from its default level !!

 

See

 

R1(config)#privilege exec level 15 ping

R1(config)#end

R1#

R1#disable 1

R1>ping

Translating "ping"

 

Translating "ping"

 

% Unknown command or computer name, or unable to find computer address

R1>sh privi

Current privilege level is 1

R1>

 

See, Now again. If i change the privilege level of a command, IT WILL BE AVAILABLE on THAT LEVEL and HIGHER LEVELS but NOT BELOW LEVELS. Since here i changed the level of ping from its default of 1 to 15, you will not find ping command on any level below 15 now !!

 

I hope this clears. If i am not wrong, you just focus on my post with thead. I highly recommend going through my tutorial to further clear all your confusions. This doesnt mean dont ask anything, ask as much as you like, i will try my level best to answer them :-)

 

Note: The command show parser dump exec is not affected at all by the privilege command. So you will always see IOS defined default level of commands. If you modify the privilege level of any command, it will not be reflected in show parser.

 

 

Thank You pappyaar

 

What you explained makes sense.

1

Share this post


Link to post
Share on other sites

Dear Pappyaar

 

Thanks for the great Topic & explanation.

you got great tips here....i hit some of them in CCIE R&S Labs... ;) & ofcorse its widely deployed in real life.

your level of explanation is really great Thanks Allot.... :)

 

Guys trust me, this type of commands are deployed on every router in real life. :)

Edited by DarkFiber
0

Share this post


Link to post
Share on other sites

Great post !!

 

I especially used it aaa authorization exec default local ! Very helpful !

 

Maybe you will continue later with other authorization branches as "network" and the the last "A" - accounting. First of all, is there any accounting solution except Cisco's ACS ?

0

Share this post


Link to post
Share on other sites

Thanks pappyaar fot this gr8 gr8 topic :D

 

 

but i have 1 question about privilege

 

if i assigned mr.a to level 4 for example and mr.b to level 6 and created username and passwords for both of them with there level assigned

what will stop anyone of them from just using #enable 15 ??

 

i tried assigning password to level 15 but it's not working, the only thing that does work is to assign a user to the level this way any other user not assigned to that level if used #enable 15 then it will show % Error in authentication.

 

is there any other way other than assigning users to level 15 ?

 

there is no problem with the other levels it also shows % Error in authentication.

the only level i have problem with is level 15, i need to use password with it with out username :D, it doesn't make any sense to not assigning my own username to that level to control everything but i just want to see if there is other ways :D

Edited by alienson
0

Share this post


Link to post
Share on other sites

Thanks alot dear friends for appreciating it. I will be back to AAA track in a while to add more content, wish me luck :-).

 

For alienson, sorry for the delayed response but can you kindly elaborate your question a little more since i am not getting which part of configuration is failing at your end. Also do mention your platform i.e. PT/dynamips(GNS3)/Real routers.

 

Let me know..

0

Share this post


Link to post
Share on other sites

Hi,

 

 

I have no word how to say you thanks! All of my doubts has been cleared.

Please come on and complete the topic. We are waiting for rest of the topic.

Your writing style really excellent.

 

A million $ thanks..

0

Share this post


Link to post
Share on other sites

Hi,

 

 

I have no word how to say you thanks! All of my doubts has been cleared.

Please come on and complete the topic. We are waiting for rest of the topic.

Your writing style really excellent.

 

A million $ thanks..

 

Dear Helium, thanks alot for the kind words. I will surely complete this topic but it may take sometime since currently i am caught up in different projects. My apologies to everyone as i couldnt complete it but i sure will.

 

Thanks again for appreciating it :-)

0

Share this post


Link to post
Share on other sites

Hello,

 

 

I am facing a problem in configuring TACACS+ in our router. I can connect all of my routers with my TACACS username and password without any problem but when leased line remains down, we can not connect the routers with local username and password. TACACS+ configuration is as follows:

 

aaa new-model

!

!

aaa authentication login default group tacacs+ local

aaa authentication login NO_AUTHEN none

aaa authentication ppp default group default-group local

aaa authorization console

aaa authorization config-commands

aaa authorization exec default group tacacs+ if-authenticated

aaa authorization exec NO_AUTHOR none

aaa authorization commands 1 default group tacacs+ if-authenticated

aaa authorization commands 1 NO_AUTHOR none

aaa authorization commands 15 default group tacacs+ if-authenticated

aaa authorization commands 15 NO_AUTHOR none

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default stop-only group tacacs+

 

username (user) privilege 2 password 7 634gsd76234t

 

privilege exec level 2 show startup-config

privilege exec level 2 show

privilege exec level 2 ping

privilege exec level 2 trace

privilege exec level 2 clear counters

!

line con 0

password 7 2364523bngsdyf632

authorization commands 1 NO_AUTHOR

authorization commands 15 NO_AUTHOR

authorization exec NO_AUTHOR

login authentication NO_AUTHEN

stopbits 1

line aux 0

stopbits 1

line vty 0 4

access-class 75 in

password 7 73456nzxcncxvh643mvn8

transport input telnet ssh

 

 

I think something is missing in my configuration but I am not able to trace it. Please somebody help.

 

 

 

Thanks...

0

Share this post


Link to post
Share on other sites

This is a great tutorial. It really helped me with setting the allowed commands per level in a way I did not understand before. Nice work.

0

Share this post


Link to post
Share on other sites

Thank you very much pappayaar.

 

Great explanation. Continue the topic.

 

I am using 3750. I didnt find one-time password there for privileges. What might be the reason?

0

Share this post


Link to post
Share on other sites

Thank Technical Experts very much for sharing so many practcial details step by step... It's really a hard work to make clear something on Cisco... But you make this thing easier a lot! Amazing!

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0