Dear Shawn, thanks alot as your example confirmed my point. Yesterday i arrived on this conclusion that without using role based views, local authorization cant do much !. All i can do is to move the command to upper level. But when it comes to role based views, there is 1 more confusion. there are few commands i saw that CANT be excluded. enable exit
Now lets say i have 2 views parser view one secret abc commands exec exclude configure parser view two secret abc commands exec include configure Now create a super view parser view super superview secret abc123 view one view two username admin view super password cisco Now i am getting "configure" in priv level 0. Why is that so ? i mean which will get the preference if a command is present as excluded and included in both views ?. Will included gets preference over excluded ? --- On Wed, 6/3/09, Shawn H Mesiatowsky <[email protected]> wrote: From: Shawn H Mesiatowsky <[email protected]> Subject: Re: [OSL | CCIE_Security] Local authorization ! To: [email protected] Date: Wednesday, June 3, 2009, 6:46 PM Almost all show commands are priv level 1. You would have to change many privilege levels of many commands in order to accomplish this. If you want to make sure a user only has access to the show interface command, but do not want to use a aaa server for command authorization, you should use role based views. Once you create a role based view only allowing access to show interface, you assing the view to the user username limited view limitedView now when the user logs on using local authentication and authroization, the user will be placed in to the limitedView view here is a sample config conf t enable password cisco username admin password cisco username view limitedView aaa authentication login default none aaa authorization exec default none aaa authentication login vty local aaa authorization exec vty local line vty 0 4 login authentication vty authorization exec vty exit enable view (you must be in root parser view to configure views) (type cisco when prompted for password) parser view limitedView password cisco commands exec include all show interfaces exit enable (this will get you out of the root parser view and back into exec mode) now admin aill only have access to show interface commands From: [email protected] [mailto:[email protected]] On Behalf Of Willians Barboza Sent: Wednesday, June 03, 2009 5:35 AM To: shahid rox; [email protected] Subject: Re: [OSL | CCIE_Security] Local authorization ! Some commands have level 1, so you will have access to these commands as well... Maybe if you increase their level, then you won't have access to them... 2009/6/3 shahid rox <[email protected]> Dear shawn, this configuration is not restricting the usage of other commands !. Priv level 4 is surely assigned but how can i restrict the user to ONLY AND ONLY RUN show interfaces and NOTHING ELSE ? Kindly let me know if my wording is not clear, since from 2 days i have asked this question again and again and again telling me how to use priv level which i already know :-). How to use local authorization to restrict ALL commands except the one that i define ? --- On Tue, 6/2/09, Shawn H. Mesiatowsky <[email protected]> wrote: From: Shawn H. Mesiatowsky <[email protected]> Subject: Re: [OSL | CCIE_Security] Local authorization ! To: [email protected] Date: Tuesday, June 2, 2009, 4:38 PM Username u4 privilege 4 password ipexpert Aaa authorization exec default local Using the local authorization will use the privilege level assigned to the local users From: [email protected] [mailto:[email protected]] On Behalf Of shahid rox Sent: Monday, June 01, 2009 11:31 PM To: [email protected] Subject: [OSL | CCIE_Security] Local authorization ! Hi all. I am practicing AAA and got confused with local authorization. I dont want to use any external server. Now these are the tasks i want to achieve ! 1) assign a user to level 4 2) level 4 comes with a default subset of commands. like ping, trace etc. 3) i ONLY want to allow show interfaces command. ALL other commands shouldnt be allowed, eg if the user uses ping it should get command authorization failed msg or something like that. I know how to use privi command to move commands between levels. but i dont know how to configure local authorization. Can someone guide me this pls ?
