The commands are supported. It doesn't add much. The question doesn't state it is a requirement.
Regards, Tyson Scott - CCIE #13513 R&S, Security, and SP Technical Instructor - IPexpert, Inc. Mailto: <mailto:[email protected]> [email protected] Telephone: +1.810.326.1444, ext. 208 Live Assistance, Please visit: <http://www.ipexpert.com/chat> www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, Audio Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE (R&S, Voice, Security & Service Provider) certification(s) with training locations throughout the United States, Europe, South Asia and Australia. Be sure to visit our online communities at <http://www.ipexpert.com/communities> www.ipexpert.com/communities and our public website at <http://www.ipexpert.com/> www.ipexpert.com From: [email protected] [mailto:[email protected]] On Behalf Of Terry Little (terlittl) Sent: Monday, May 10, 2010 9:07 AM To: Sumit Mahla; [email protected] Cc: [email protected] Subject: Re: [OSL | CCIE_Security] Privilege levels and command authorization Sumit, Based on you last line I think you may have got it. If you are using ACS we get additional capabilities. I understand everything that you said about with ACS, I am trying to understand the case without ACS. The lab scenario doesn't use ACS, but the DSG includes the "aaa authorization command N local" commands. Regards, Terry Little (425) 894-4109 (m) (425) 468-1057 (o) From: Sumit Mahla [mailto:[email protected]] Sent: Monday, May 10, 2010 5:24 AM To: Terry Little (terlittl); [email protected] Cc: [email protected] Subject: RE: [OSL | CCIE_Security] Privilege levels and command authorization Terry, i don't know if i got your question or not... What i meant was that if any 5 commands are at privilege level 4 in router... and on ACS assign 1st user the privilege 4 and the other user privilege 4 with restriction of commands out of the 5 which have been defined on router at level 5.... then you would find the difference.... regarding local command authorization... i think that's not supported... Regards _____ Subject: RE: [OSL | CCIE_Security] Privilege levels and command authorization Date: Mon, 10 May 2010 05:14:10 -0700 From: [email protected] To: [email protected]; [email protected] CC: [email protected] Sumit, The original assumption is LOCAL Authorization, NO ACS. Now, what is the point of the aaa authorization with the privilege levels? What function do they perform, in this scenario? When I did the lab it appeared to work the same both with and without the aaa authorization commands. Terry Little (425) 894-4109 (m) (425) 468-1057 (o) From: Sumit Mahla [mailto:[email protected]] Sent: Sunday, May 09, 2010 12:27 PM To: [email protected]; Terry Little (terlittl) Cc: [email protected] Subject: RE: [OSL | CCIE_Security] Privilege levels and command authorization Terry... I would try to explain this... Lets talk a scenario... 1. Two user's USER-1 and USER-2.... both needs to be assigned privilege level 5... 2. On router i assign privilege level 5 to static route command, aaa command, dynamic routing command and QOS commands... 3. Now i USER-1 and USER-2 have same privilige level of 5 assigned by ACS.... so they would access all commands which are at privilege level 5 or lower... Now what is i want User-2 to get privilege 5 assigned but out of these privilege level 5 commands i want him to only configure static routing... so i would Authoruze him ip route command... so out of all privilege level 5 commands he would be able to only execute static routing commands... i hope i explained this to your satisfaction... please correct me if i am wrong.. Regards Sumit Mahla > Date: Sun, 9 May 2010 18:24:18 +0100 > From: [email protected] > To: [email protected] > CC: [email protected] > Subject: Re: [OSL | CCIE_Security] Privilege levels and command authorization > > Hi, > I think that part of the configuration is only to ensure that if the > tacacs+ server is down, that it fails over to the local > "authorization" so that users are not locked out if the tacacs server > is down > > On 5/9/10, Terry Little (terlittl) <[email protected]> wrote: > > It can be configured as local, I just can't figure what it does that > > isn't already being done by the privilege levels. Refer to vol 1, lab 6 > > sec 6.4. > > > > Terry Little > > (425) 894-4109 (m) > > (425) 468-1057 (o) > > -----Original Message----- > > From: Tolulope Ogunsina [mailto:[email protected]] > > Sent: Sunday, May 09, 2010 10:17 AM > > To: Terry Little (terlittl) > > Cc: [email protected] > > Subject: Re: [OSL | CCIE_Security] Privilege levels and command > > authorization > > > > Hi, > > AFAIK, Command Authorization (authorization per command) can only be > > implemented using the TACACS server :( > > With local Authorization, you only have privilege levels. > > > > On 5/9/10, Terry Little (terlittl) <[email protected]> wrote: > >> OK, I understand privilege levels for commands, and I understand > > command > >> authorization (I think). What I can't figure out is when using local > >> authorization, how do the two interact. It seems that if a local user > > is > >> set for the privilege level they get access to those commands, and the > >> authorization is just an extra command in the config because it > > doesn't > >> add any additional control/limits to the user. > >> > >> > >> > >> Are there other factors that can used for authorization? Such that a > >> user could have the correct privilege level but not be authorized to > > use > >> the command. Or authorized but not at the correct level? > >> > >> > >> > >> Terry Little > >> > >> [email protected] > >> Phone: +1 425 468 1057 > >> > >> Mobile: +1 425 894 4109 > >> > >> > >> > >> Cisco Systems, Inc. > >> > >> Network Consulting Engineer > >> World Wide Security Services Practice > >> Cisco.com - http://www.cisco.com > >> > >> > >> > >> This email may contain confidential and privileged material for the > > sole > >> use of the intended recipient. Any review, use, distribution or > >> disclosure by others is strictly prohibited. If you are not the > > intended > >> recipient (or authorized to receive for the recipient), please contact > >> the sender by reply email and delete all copies of this message. > >> > >> For corporate legal information go to: > >> http://www.cisco.com/web/about/doing_business/legal/cri/index.html > >> > >> > >> > >> > > > > > > -- > > Best Regards, > > > > Tolulope. > > > > > -- > Best Regards, > > Tolulope. > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com _____ The latest auto launches and test drives Drag n' <http://autos.in.msn.com/> drop _____ All the post budget analysis and implications Sign up <http://news.in.msn.com/moneyspecial/budget2010/> now.
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
