|
0:00:13
|
In our next session here we are going to start our discussion
|
|
0:00:16
|
of AAA
|
|
0:00:18
|
for authentication, authorization and accounting
|
|
0:00:21
|
we will look at the local
|
|
0:00:23
|
methods of running of running AAA on the router
|
|
0:00:26
|
for our authentication, for our exact
|
|
0:00:28
|
and privilege
|
|
0:00:30
|
authorization and the
|
|
0:00:31
|
per command authorization
|
|
0:00:34
|
and additionally look at the role based CLI or the role based access control feature
|
|
0:00:38
|
which is a more modular and scalable version of doing local
|
|
0:00:42
|
AAA on the routers
|
|
0:00:46
|
Now as I mentioned AAA stands
|
|
0:00:47
|
for Authentication Authorization and Accounting
|
|
0:00:50
|
where the first of these, Authentication
|
|
0:00:53
|
is simply going to control whether the user can log in or not
|
|
0:00:58
|
authorization is going to control what the user is actually allowed to do, once they are logged in
|
|
0:01:03
|
and Accounting is going keep track of what the user did
|
|
0:01:06
|
once they are logged in and then once they log out
|
|
0:01:09
|
Now we will see there is two different variation of AAA
|
|
0:01:12
|
either locally or remotely
|
|
0:01:15
|
where the local configuration on the router or the switch of the ASA
|
|
0:01:19
|
like the name and place, its only going to be locally significant on that device
|
|
0:01:23
|
and the remote configuration
|
|
0:01:25
|
is going to occur either via the TACACS
|
|
0:01:28
|
or the RADIUS protocols
|
|
0:01:30
|
with AAA server
|
|
0:01:32
|
where in our particular case we are going to be using the cisco secure ACS server
|
|
0:01:37
|
in order to do both our
|
|
0:01:40
|
remote TACACS and our remote RADIUS configurations
|
|
0:01:45
|
Now for the local AAA on the routers and switches and the firewalls
|
|
0:01:50
|
we are familiar already with lot of these methods
|
|
0:01:53
|
where we have seen using local usernames and
|
|
0:01:56
|
passwords before
|
|
0:01:57
|
and may be assigning the
|
|
0:01:58
|
privilege levels to the users
|
|
0:02:00
|
whether this is directly under the username
|
|
0:02:03
|
or under the line like the VTY or the console
|
|
0:02:07
|
we will also look at the role based
|
|
0:02:08
|
CLI or the role based access control
|
|
0:02:11
|
which again is a more scalable version of the privilege levels
|
|
0:02:15
|
and a little bit easier to manage exactly what the users can do
|
|
0:02:19
|
once they are logged in
|
|
0:02:20
|
and we also have other minor variation of AAA
|
|
0:02:23
|
like the configuration archive
|
|
0:02:26
|
that is going to keep track of locally
|
|
0:02:29
|
what the users are doing once they are logged in
|
|
0:02:31
|
and a couple of other features we will talk about later
|
|
0:02:34
|
when we get to miscellaneous security topics
|
|
0:02:36
|
like protecting the exact process
|
|
0:02:39
|
from a denial of service
|
|
0:02:40
|
based on the configuration lock and based on the
|
|
0:02:44
|
the login enhancements
|
|
0:02:47
|
but the vast majority of the things that we need to worry about with the local AAA
|
|
0:02:51
|
is how do we get the users to login
|
|
0:02:53
|
then once they are there, exactly what
|
|
0:02:55
|
can I do, with the that are privilege levels or the role based CLI
|
|
0:03:01
|
Now for the remote AAA
|
|
0:03:03
|
this is where the vast majority of our focus needs to be
|
|
0:03:07
|
the local configuration and the schema things
|
|
0:03:09
|
is really not as complicated
|
|
0:03:11
|
as what we can do with the TACACS and the RADIUS protocols
|
|
0:03:17
|
Now TACACS is going to
|
|
0:03:18
|
support all three of these variations, the Authentication, the Authorization and the Accounting
|
|
0:03:24
|
but for Authorization and Accounting
|
|
0:03:27
|
its going to support two different sub types
|
|
0:03:29
|
which we can categorize into our exact
|
|
0:03:32
|
Authorization, versus our command Authorization
|
|
0:03:37
|
where exact Authorization
|
|
0:03:39
|
is going to control, can an administrator
|
|
0:03:42
|
logging in to router, or logging to the switch or the ASA
|
|
0:03:46
|
or the command authorisation is going to control
|
|
0:03:49
|
what are the individual specific
|
|
0:03:51
|
commands that they can issue
|
|
0:03:52
|
once they are logged in to the command line
|
|
0:03:56
|
then likewise for the accounting, we can do exact accounting
|
|
0:04:00
|
which just determines
|
|
0:04:01
|
has the user logged in, has the user logged out
|
|
0:04:04
|
but also the per command accounting
|
|
0:04:08
|
which is going to tell us exactly what the user did, once they were logged into the command line
|
|
0:04:14
|
Now the other variation we have is RADIUS
|
|
0:04:16
|
which like TACACS does support both
|
|
0:04:19
|
the Authentication, the Authorization and the Accounting
|
|
0:04:22
|
but it doesn't support as detailed
|
|
0:04:25
|
of the Authorization and
|
|
0:04:26
|
Accounting functions as TACACS does
|
|
0:04:29
|
within the scope of administration of the network
|
|
0:04:33
|
Now in general we can separate
|
|
0:04:35
|
with the TACACS functions with the RADIUS functions
|
|
0:04:38
|
where TACACS is more
|
|
0:04:40
|
used for the administration of the network
|
|
0:04:42
|
devices like the routers, the switches, the firewalls and the network
|
|
0:04:46
|
and RADIUS is more geared towards the user services
|
|
0:04:50
|
where it would be used for some
|
|
0:04:53
|
VPN clients username and password authentication
|
|
0:04:57
|
or someone's laptop, when they plug it in to the network and they do dot1x authentication
|
|
0:05:02
|
or when they connect to the wireless client and they are doing their
|
|
0:05:05
|
EAP authentication
|
|
0:05:07
|
thats going to be taking care of by RADIUS
|
|
0:05:11
|
Now additionally TACACS is a cisco proprietary protocol
|
|
0:05:14
|
where RADIUS is an open standard
|
|
0:05:16
|
So any type of feature that is not vendor specific
|
|
0:05:20
|
is generally going to have vendor support through RADIUS
|
|
0:05:23
|
as opposed to TACACS
|
|
0:05:27
|
Now additionally we will see cases where we would want to configure both
|
|
0:05:30
|
TACACS and RADIUS at the same time
|
|
0:05:32
|
because they are going to have different individual functions
|
|
0:05:35
|
depending on the features that we are trying to configure
|
|
0:05:38
|
so when we get into more detail about these features
|
|
0:05:41
|
like the cut through proxy and the ASA versus the
|
|
0:05:45
|
Authentication proxy and the IOS
|
|
0:05:47
|
there is case where you would want to use one versus the other
|
|
0:05:51
|
because RADIUS supports different types of systems than TACACS does and vice versa
|
|
0:05:57
|
Now specifically behind the scenes
|
|
0:06:00
|
other than the fact the TACACS is a cisco
|
|
0:06:02
|
proprietary protocol
|
|
0:06:04
|
the other major thing that we care about
|
|
0:06:06
|
is that the TACACS uses a different transport
|
|
0:06:09
|
than RADIUS does
|
|
0:06:10
|
where TACACS uses tcp port 49
|
|
0:06:14
|
and RADIUS
|
|
0:06:15
|
is using two different sets of UDP ports
|
|
0:06:19
|
the originally assigned ports, the legacy ports
|
|
0:06:23
|
are 1645 and 1646
|
|
0:06:26
|
where 1645 is used for RADIUS authentication
|
|
0:06:30
|
1646 is going to used for RADIUS accounting
|
|
0:06:35
|
the new standardised ports are 1812 and 1813
|
|
0:06:39
|
but likewise 1812 is going to be used for authentication
|
|
0:06:43
|
where 1813 is used
|
|
0:06:44
|
for the Accounting
|
|
0:06:48
|
so obviously there is going to be differences in the actual
|
|
0:06:50
|
protocol formats
|
|
0:06:52
|
TACACS being cisco proprietary
|
|
0:06:54
|
RADIUS being the open standard
|
|
0:06:56
|
but from our point of view, from the implementation
|
|
0:06:58
|
really the big thing that we care about is the differences in the transport
|
|
0:07:02
|
so when we are configuring the routers, and the switches and the ASAs as TACACS for various clients
|
|
0:07:08
|
we need to make sure that if we are using TACACS
|
|
0:07:11
|
we have tcp port 49 transport
|
|
0:07:14
|
from the AAA client to the AAA server
|
|
0:07:18
|
then for RADIUS we would need UDP
|
|
0:07:21
|
1645 and 46 if we are using the legacy versions
|
|
0:07:24
|
and 1812 and 1813, if we are using the standardised ports
|
|
0:07:29
|
Now before we get into this specifics
|
|
0:07:31
|
of RADIUS and TACACS and exactly what we can do with each of them individually
|
|
0:07:36
|
we are going to look at some of the
|
|
0:07:37
|
functions locally on the IOS
|
|
0:07:40
|
for doing our authentication
|
|
0:07:42
|
are exact and command authorization
|
|
0:07:45
|
and then our accounting
|
|
0:07:48
|
Now by default
|
|
0:07:49
|
if we have not configured AAA on the routers
|
|
0:07:52
|
the default authentication method is going to be use the local database
|
|
0:07:57
|
where we have essentially two different types of authentication we need to deal with
|
|
0:08:01
|
the first of which is our exact authentication
|
|
0:08:06
|
exact authentication
|
|
0:08:07
|
controls who can access the exact process
|
|
0:08:10
|
or basically the CLI parser
|
|
0:08:13
|
where when someone telnets into the router
|
|
0:08:15
|
if they log in and they have
|
|
0:08:17
|
the access to the exact process
|
|
0:08:19
|
they are going to end up in the command line
|
|
0:08:22
|
now the exact authentication
|
|
0:08:24
|
could either use the local database that got username and password
|
|
0:08:28
|
or could use a simple password that is assigned to the line
|
|
0:08:32
|
like the console lines or the vty line
|
|
0:08:35
|
or we could configure it for no
|
|
0:08:37
|
authentication
|
|
0:08:38
|
which is the default method for the console
|
|
0:08:43
|
Now the other method we have is our enable authentication
|
|
0:08:46
|
and this is going to control
|
|
0:08:48
|
who can get to privilege mode
|
|
0:08:50
|
once we are logged into the command line
|
|
0:08:53
|
where typically this is going to be using our enable
|
|
0:08:56
|
password or enable secret
|
|
0:08:58
|
but it could be coupled together
|
|
0:08:59
|
with the local database
|
|
0:09:02
|
where the username and password combination is doing the exact authentication
|
|
0:09:07
|
but then its also doing their enable authentication
|
|
0:09:10
|
which is assigning them their privilege level
|
|
0:09:13
|
also just like on the line we can specify the password
|
|
0:09:16
|
we could also specify the
|
|
0:09:18
|
privilege level on the line
|
|
0:09:20
|
which is then going to assign them what the privilege number is, once they are actually logged in
|
|
0:09:26
|
Now the privilege number or the privilege level
|
|
0:09:29
|
is what we use in order to control
|
|
0:09:31
|
what particular commands
|
|
0:09:34
|
the user can issue once they are logged into their command line
|
|
0:09:37
|
and there is three different default
|
|
0:09:39
|
privilege levels that we have we when we are not
|
|
0:09:42
|
doing any customization of AAA
|
|
0:09:45
|
first of which is zero
|
|
0:09:48
|
which essentially means that we have now access to any commands
|
|
0:09:52
|
privilege level 1 is at default user mode
|
|
0:09:56
|
this is typically what you see when you login and you see the router's hostname
|
|
0:09:59
|
followed by the
|
|
0:10:01
|
the > [greater than sign]
|
|
0:10:03
|
and privilege level 15 or enable mode access
|
|
0:10:07
|
this is what we see followed by the
|
|
0:10:09
|
the router's hostname followed by the pound sign
|
|
0:10:13
|
Now the once in between these
|
|
0:10:15
|
privilege 2 through 14
|
|
0:10:17
|
these are are going to be available
|
|
0:10:18
|
available for any type of
|
|
0:10:20
|
custom assignments that we want
|
|
0:10:23
|
and the reason that we would want to do this
|
|
0:10:26
|
is if we want to either allow or disallow
|
|
0:10:29
|
an individual user from issuing a particular command
|
|
0:10:35
|
No in order to do this
|
|
0:10:36
|
we are going to be using the
|
|
0:10:37
|
privilege command
|
|
0:10:40
|
on the router, where we would say
|
|
0:10:41
|
privilege exec or privilege configure
|
|
0:10:44
|
privilege interface
|
|
0:10:45
|
this is going to be dependent on what is the sub configuration mode
|
|
0:10:49
|
the that particular command is issued in
|
|
0:10:53
|
and in this is where lot of the confusion comes in
|
|
0:10:55
|
when we are dealing with the local
|
|
0:10:57
|
command authorisation
|
|
0:10:59
|
and the local exec authorisation on the router
|
|
0:11:02
|
where we need to figure out exactly what
|
|
0:11:05
|
privilege level do we need
|
|
0:11:07
|
in order to issue this command
|
|
0:11:09
|
and if we want to modify it, exactly how do we do it with the privilege command
|
|
0:11:14
|
Now the mode that we are specifying here, we were to say privilege exec or privilege configure
|
|
0:11:19
|
this is going to determine
|
|
0:11:21
|
exactly where the command is located
|
|
0:11:24
|
in the IOS's parser
|
|
0:11:27
|
so for example on exec command
|
|
0:11:30
|
is anything that would be issued
|
|
0:11:32
|
in the mode where we see the router's host name, just followed by the pound sign
|
|
0:11:37
|
where a configure command is where we have the router's hostname
|
|
0:11:40
|
followed by config in parenthesis
|
|
0:11:43
|
or an interface command would be where we have config-if
|
|
0:11:48
|
Now the problem we run into though
|
|
0:11:51
|
is that there are so many commands in the parser
|
|
0:11:54
|
its not very feasible to do a large scale implementation of this
|
|
0:11:58
|
when we are trying to change the
|
|
0:11:59
|
privilege levels locally
|
|
0:12:02
|
So we will look at some examples here of doing the local authentication
|
|
0:12:05
|
and the local authorization
|
|
0:12:07
|
but when we get into the role based CLI
|
|
0:12:11
|
and specially when we get into the TACACS
|
|
0:12:13
|
command authorization and the TACAC exec authorization
|
|
0:12:16
|
thats generally where we would have a more scalability
|
|
0:12:19
|
appointment of this type of config
|
|
0:12:23
|
Now with the command authorisation, if we are going to change this
|
|
0:12:27
|
there is generally two things that we would be doing
|
|
0:12:30
|
the first of which would be move a command's privilege down
|
|
0:12:34
|
to allow someone who has a lower
|
|
0:12:36
|
privilege level, lets say privilege level 1
|
|
0:12:39
|
to run a command that they normally would not have access to
|
|
0:12:42
|
like an extended ping
|
|
0:12:44
|
or the show run command
|
|
0:12:47
|
the other option would be if we were to move a command's privilege up
|
|
0:12:52
|
So revoke
|
|
0:12:53
|
a command from someone who would normally have access to that
|
|
0:12:57
|
like someone at privilege level 1
|
|
0:12:59
|
we could say
|
|
0:13:00
|
we want to remove the particular show commands or we want to
|
|
0:13:05
|
remove them from being able to issue the enable command
|
|
0:13:10
|
so next lets take a look at the command line
|
|
0:13:12
|
and we are going to go through some basic examples of the exec
|
|
0:13:15
|
authentication and the exec authorization
|
|
0:13:18
|
and see some of the
|
|
0:13:20
|
kind of shortcuts that we can do on the command line to figure out exactly
|
|
0:13:24
|
what we would need to change in order to allow a particular user to run a command
|
|
0:13:28
|
or to disallow a user to run a command
|
|
0:13:32
|
Now what are the first things that we need to be aware of is the show
|
|
0:13:36
|
privilege command
|
|
0:13:38
|
this is going to show
|
|
0:13:39
|
for your currently logged in exec session what
|
|
0:13:41
|
privilege are you allocating
|
|
0:13:44
|
Now typically with the default configuration
|
|
0:13:46
|
when you connect to the console and you show privilege
|
|
0:13:50
|
the user is going to be in privilege level 1
|
|
0:13:53
|
Now at this point
|
|
0:13:55
|
since I exited out of the console
|
|
0:13:57
|
and came back in and was not asked
|
|
0:14:00
|
for a password
|
|
0:14:01
|
this means that there is no exec
|
|
0:14:04
|
authentication configured
|
|
0:14:07
|
where if I were to go to the console line
|
|
0:14:10
|
line console 0
|
|
0:14:12
|
and say the password is cisco
|
|
0:14:16
|
when I exit out of the console
|
|
0:14:20
|
and I would actually, actually missed one command, which is the login command
|
|
0:14:28
|
Now the console is going to be asking me for the line password
|
|
0:14:33
|
Now notice that this does not assign a particular
|
|
0:14:35
|
privilege level for me
|
|
0:14:37
|
as just saying that I can
|
|
0:14:39
|
go into the exec process
|
|
0:14:42
|
because if we look at the show line section line
|
|
0:14:47
|
and actually I need to be in enable mode first, show run section line
|
|
0:14:50
|
by default on to the console
|
|
0:14:52
|
the aux ports and the vty
|
|
0:14:55
|
we have the command
|
|
0:14:57
|
that is exec
|
|
0:15:00
|
which means that if a user connects on to this line they are allowed to run the exec process
|
|
0:15:05
|
if I were to say no exec
|
|
0:15:09
|
then I were to telnet locally into router1
|
|
0:15:12
|
its simply going to tell me that
|
|
0:15:16
|
that the connection is refused
|
|
0:15:19
|
So if you wanted to disable
|
|
0:15:21
|
console access or you want to disable the aux
|
|
0:15:23
|
port or the vty line
|
|
0:15:25
|
this is the way we would do it by simply saying no exec
|
|
0:15:29
|
So normally the users are
|
|
0:15:31
|
authorize to run the exec process
|
|
0:15:35
|
then depending on whether we are configuring the password
|
|
0:15:38
|
locally under line
|
|
0:15:40
|
or to check the local database
|
|
0:15:42
|
this is going to be for our exec
|
|
0:15:44
|
authentication
|
|
0:15:47
|
Now currently for the vty lines we have said to check the local database
|
|
0:15:51
|
and if we show run include username
|
|
0:15:55
|
we see we have the username cisco, password cisco
|
|
0:15:58
|
which means that if I telnet into myself, its going to ask me for this combination
|
|
0:16:02
|
username cisco, password cisco
|
|
0:16:06
|
So again our three different variation of our exec authentication
|
|
0:16:10
|
the username and password combination in the local database
|
|
0:16:14
|
we could do this on the line
|
|
0:16:17
|
with login and then the password
|
|
0:16:20
|
or I could simply say, no login
|
|
0:16:23
|
which is kindly confusing because it doesn't mean you are not
|
|
0:16:26
|
able to log in
|
|
0:16:27
|
means that you are not checking for login authentication
|
|
0:16:31
|
So if I were to go to
|
|
0:16:34
|
line con 0
|
|
0:16:35
|
and say no log in no password
|
|
0:16:40
|
when I exit out of the console
|
|
0:16:43
|
and come back in
|
|
0:16:46
|
I am simply automatically going to authenticate to the exec process
|
|
0:16:52
|
Now once in exit
|
|
0:16:55
|
by default I am going to be assigned a privilege level 1
|
|
0:16:57
|
this is going to be true of whether I am coming in from the console
|
|
0:17:00
|
from the aux port or from the vty line
|
|
0:17:03
|
if we look at the question mark
|
|
0:17:06
|
we can see the individual commands
|
|
0:17:08
|
that a user at
|
|
0:17:09
|
privilege 1 is authorised to run
|
|
0:17:13
|
where typical show commands like show ip interface brief
|
|
0:17:16
|
show ip route
|
|
0:17:18
|
privilege level 1 is authorised to run this
|
|
0:17:22
|
but I am not authorised to say config t
|
|
0:17:25
|
or I am not authorized to say
|
|
0:17:27
|
clear ip route or show run
|
|
0:17:31
|
what this means is that these three commands
|
|
0:17:34
|
configure terminal, the clear command and the show run
|
|
0:17:37
|
these are above my current privilege level
|
|
0:17:41
|
Now to actually see what the privilege of the command is
|
|
0:17:46
|
there is shortcut that we can do on the router
|
|
0:17:48
|
that is the show parser dump
|
|
0:17:52
|
and what the parser dumper is going to show us is
|
|
0:17:55
|
all of the officially supported commands that are
|
|
0:17:58
|
in the context sensitive help
|
|
0:18:00
|
but also what the particular
|
|
0:18:02
|
privilege level of that command is
|
|
0:18:05
|
Now when we issue that parser dump command
|
|
0:18:08
|
is then going to ask us for the mode of the command
|
|
0:18:11
|
just like the privilege level command
|
|
0:18:13
|
global would ask us for
|
|
0:18:15
|
So if I were to say show
|
|
0:18:17
|
parser dump exec
|
|
0:18:19
|
this is going to show me
|
|
0:18:20
|
all the different commands that can be issued at the exec mode
|
|
0:18:26
|
Now the number that is at the beginning here
|
|
0:18:28
|
this is the default privilege level for the command
|
|
0:18:33
|
So for example the clear ipsec command
|
|
0:18:36
|
or the clear
|
|
0:18:38
|
ip admission
|
|
0:18:40
|
I should be able to issue these
|
|
0:18:41
|
from privilege level 1
|
|
0:18:45
|
Now if we look at the show parser dump
|
|
0:18:49
|
and a lets say exec
|
|
0:18:51
|
we can sort these based on the
|
|
0:18:53
|
privilege number
|
|
0:18:54
|
if I were to say
|
|
0:18:55
|
include anything that starts with a ^[caret ]
|
|
0:18:58
|
15_ [underscore]
|
|
0:19:01
|
where these would be our privilege 15 commands
|
|
0:19:05
|
so any type of debug command
|
|
0:19:07
|
any type of undebug command
|
|
0:19:11
|
we will see there is tonnes of debug commands that we can issue here
|
|
0:19:13
|
but its going to show us what is the default
|
|
0:19:15
|
privilege levels for all of these
|
|
0:19:19
|
Now if we wanted to authorize
|
|
0:19:21
|
individual user
|
|
0:19:23
|
to run these commands, we have two options
|
|
0:19:26
|
we could have them
|
|
0:19:28
|
further authorize
|
|
0:19:30
|
which is what the enable commands does
|
|
0:19:33
|
and what the
|
|
0:19:35
|
what the parser is looking for analysis is our enable password
|
|
0:19:38
|
which by default is our privilege 15 password
|
|
0:19:42
|
if I were to say show privilege
|
|
0:19:46
|
this is going to be authorising me to privilege level 15
|
|
0:19:50
|
but technically we can have multiple levels of privileges with
|
|
0:19:53
|
different enable passwords or different enable secrets
|
|
0:19:57
|
that are for that specific privilege number
|
|
0:20:01
|
So for example if I were to go in the global config
|
|
0:20:04
|
I can configure an enable
|
|
0:20:07
|
password
|
|
0:20:08
|
and lets say this is cisco1
|
|
0:20:11
|
where cisco1
|
|
0:20:13
|
is the level
|
|
0:20:15
|
2 password
|
|
0:20:18
|
So now from
|
|
0:20:19
|
user mode, if I were to say enable 2
|
|
0:20:23
|
its going to be looking for this new password
|
|
0:20:26
|
that I specified, which is cisco1
|
|
0:20:29
|
if we now look at the show privilege
|
|
0:20:32
|
I now authorize to privilege level 2
|
|
0:20:36
|
Now it gets a little bit confusing because
|
|
0:20:38
|
typically when you see the router's hosting
|
|
0:20:40
|
followed by the pound prompt
|
|
0:20:43
|
you would assume that you are privilege level mode
|
|
0:20:46
|
which means that you can make whatever changes that you want to
|
|
0:20:50
|
but technically the routers going to show you the
|
|
0:20:52
|
pound as long as you are not
|
|
0:20:53
|
privilege level 0 or 1
|
|
0:20:58
|
Now since I have not actually configured any commands
|
|
0:21:01
|
that are at privilege level 2
|
|
0:21:04
|
I am going to able to make any changes that I would not be able to, if I was in privilege level 1
|
|
0:21:10
|
and the reason for this is that
|
|
0:21:12
|
when you are looking at your privilege numbers 0 through 15
|
|
0:21:16
|
if I am authorized to privilege level 5
|
|
0:21:19
|
it means that I can issue any
|
|
0:21:21
|
commands that are from 0 to 5
|
|
0:21:24
|
if I am at privilege 10, I can issue anything thats 0 through 10
|
|
0:21:28
|
thats why the top most number 15 is the most
|
|
0:21:31
|
authorised level
|
|
0:21:32
|
because they can issue all commands, 1 through 15
|
|
0:21:36
|
but again if we were to try to make any changes here, we were to say
|
|
0:21:39
|
clear ip route or
|
|
0:21:42
|
show run or config t
|
|
0:21:45
|
I am not actually able to issue these commands
|
|
0:21:48
|
because they are still higher than my
|
|
0:21:50
|
current privilege level of 2
|
|
0:21:54
|
Now what I could change is that if
|
|
0:21:56
|
there was specific command I wanted to issue
|
|
0:21:58
|
lets say I want to be able to say clear ip route
|
|
0:22:02
|
I would need to figure out what is the current
|
|
0:22:04
|
privilege level of that command
|
|
0:22:06
|
then bring it down in order to be
|
|
0:22:08
|
either at level 2 or below
|
|
0:22:12
|
So if I were to move clear ip route, down the level 1
|
|
0:22:15
|
it would mean that users who are authorized to level 1 or higher
|
|
0:22:19
|
would be able to issue that command
|
|
0:22:23
|
So lets next go into privilege level 15, we will say enable
|
|
0:22:27
|
which is actually a shortcut for enable 15
|
|
0:22:30
|
then from global command
|
|
0:22:32
|
global configuration, we are going to issue the privilege command
|
|
0:22:36
|
Now again just like the parser dump
|
|
0:22:39
|
the argument that its looking for here
|
|
0:22:41
|
is what is the specific mode or the sub configuration mode
|
|
0:22:45
|
that the command would be run in
|
|
0:22:48
|
Now the way that you want to think about this
|
|
0:22:51
|
is if you were to actually make a configuration change
|
|
0:22:54
|
for whatever command E1 issue
|
|
0:22:56
|
so if I were the user to be able to login and see
|
|
0:22:59
|
clear ip route
|
|
0:23:00
|
normally the user would be at exact mode
|
|
0:23:04
|
they would be a privilege level and then they would say clear ip route
|
|
0:23:09
|
so what this means is that, this particular command
|
|
0:23:13
|
should be an exact level command
|
|
0:23:16
|
Now if I want to someone to go to the interface
|
|
0:23:19
|
fast ethernet0/0, and configure an ip address
|
|
0:23:22
|
interface aipp 0/0
|
|
0:23:25
|
this is not an exec type of command
|
|
0:23:27
|
I would have to be in global config, before I issue that
|
|
0:23:33
|
So this is then going to control what mode that you would want to issue with the privilege command
|
|
0:23:38
|
so a clear command thats going to be run at exec
|
|
0:23:41
|
I want to say for level 2
|
|
0:23:44
|
which is the new level I defined
|
|
0:23:46
|
I want some one to be able to say clear
|
|
0:23:49
|
ip route *
|
|
0:23:52
|
which if we look at the result of this, show run include privilege
|
|
0:23:58
|
this sequence of commands clear ip route *
|
|
0:24:01
|
is actually made up of one command
|
|
0:24:04
|
and three arguments
|
|
0:24:07
|
specifically these arguments are ip
|
|
0:24:10
|
ip route, and then ip route*
|
|
0:24:15
|
Now the reason that this is important is that when we get to our
|
|
0:24:18
|
TACACS command authorization
|
|
0:24:21
|
so remotely doing AAA command authorization
|
|
0:24:24
|
we need to know
|
|
0:24:26
|
what is the major command that we are trying to authorize
|
|
0:24:29
|
which in this case is the clear command
|
|
0:24:32
|
and then what are the individual arguments
|
|
0:24:34
|
where we have ip route and then ip route*
|
|
0:24:38
|
So in other words it means someone cannot issue clear ip route *
|
|
0:24:42
|
if they were not authorized to say clear ip
|
|
0:24:45
|
they couldn't say clear ip if they weren't
|
|
0:24:47
|
authorized to say clear
|
|
0:24:51
|
Now this doesn't necessarily mean
|
|
0:24:53
|
that when we go to
|
|
0:24:59
|
privilege level 2, so lets say enable2
|
|
0:25:04
|
if we look at the clear followed by the ?[question mark]
|
|
0:25:09
|
clear ip ?
|
|
0:25:11
|
clear ip route
|
|
0:25:13
|
we see that we can say clear ip route*
|
|
0:25:17
|
but it doesn't now mean that I could say
|
|
0:25:20
|
clear
|
|
0:25:23
|
ip cef for example
|
|
0:25:26
|
or clear ip
|
|
0:26:00
|
or clear ip igmp
|
|
0:26:02
|
So its going to show me just the particular commands that I am authorized to use
|
|
0:26:08
|
Now likewise since I am still in privilege level 2
|
|
0:26:13
|
we show privilege, it means that I cannot get to global config
|
|
0:26:16
|
or I cannot show run
|
|
0:26:19
|
Now the problem with this
|
|
0:26:21
|
is that when you try to implement the privilege numbers
|
|
0:26:25
|
for more than just a small handful of users
|
|
0:26:28
|
it quickly get, starts to get out of control
|
|
0:26:30
|
the hierarchy of how the privilege levels work
|
|
0:26:34
|
because lets say I want to use that table to clear the routing table
|
|
0:26:37
|
and they are able to look at the routing table
|
|
0:26:40
|
Now by taking the clear ip route command and moving it down to level 2
|
|
0:26:44
|
I was to able to accomplish that, if wish
|
|
0:26:46
|
again show run include privilege
|
|
0:26:52
|
So now anyone at level 2 or higher is able to issue
|
|
0:26:55
|
the clear ip route command
|
|
0:26:57
|
but if I now want to authorize someone
|
|
0:26:59
|
to run additional commands but not
|
|
0:27:02
|
clear ip route
|
|
0:27:04
|
there is really no way that I can do that by using the privilege commands
|
|
0:27:09
|
So the key is that the privilege numbers are cumulative
|
|
0:27:12
|
if I am level 5
|
|
0:27:13
|
it means that I have a access to commands at 0,1,2,3,4 and 5
|
|
0:27:19
|
So this is one example of bringing the privilege level down for a command
|
|
0:27:24
|
the other option would be to move a command up
|
|
0:27:28
|
so lets say that for the users
|
|
0:27:31
|
for level 1
|
|
0:27:34
|
So if we show privilege
|
|
0:27:37
|
we are currently at level 1
|
|
0:27:38
|
normally I am able to say show ip route
|
|
0:27:42
|
so lets say for the users at level 1, we don't want them to be able say show ip route
|
|
0:27:48
|
but I still want them to be able to say show ip cef
|
|
0:27:52
|
or show ip interface brief
|
|
0:27:56
|
what this means
|
|
0:27:57
|
is that I would mean to de authorize
|
|
0:28:00
|
this individual argument of the show
|
|
0:28:03
|
and the show ip command
|
|
0:28:06
|
by moving it to a level that is higher than 1
|
|
0:28:11
|
Now we can do this logic the same way that we did by moving the other command down
|
|
0:28:16
|
which again we saw when we say show run include privilege
|
|
0:28:21
|
if I were to say privilege exec
|
|
0:28:24
|
at level, lets say , 5
|
|
0:28:28
|
I have the show ip route
|
|
0:28:31
|
then if we show run include privilege
|
|
0:28:36
|
it is now also moved the show command upto 5
|
|
0:28:40
|
and the show ip command upto 5
|
|
0:28:47
|
So lets look at this from a different router, so we can keep
|
|
0:28:49
|
both of these open at the same time, from router2
|
|
0:28:52
|
I am going to telnet into router1
|
|
0:28:57
|
this username and password that is for a local authentication on the vty line
|
|
0:29:02
|
this should drop the user of it privilege
|
|
0:29:04
|
level 1
|
|
0:29:07
|
Now the normally the users are able to issue the show privilege command
|
|
0:29:10
|
but in this case
|
|
0:29:13
|
they were now de authorised from running it
|
|
0:29:16
|
because when I moved show ip route upto 5
|
|
0:29:19
|
its moving show plus it is moving show ip up
|
|
0:29:24
|
so in reality, in addition to moving show ip route up
|
|
0:29:28
|
I would need to move, show backdown
|
|
0:29:32
|
or I will say at level 0 I have show
|
|
0:29:36
|
Now the user should be able to say show privilege
|
|
0:29:40
|
but if they say show ip cef
|
|
0:29:42
|
they are de authorized to run this
|
|
0:29:45
|
because the show ip
|
|
0:29:48
|
is still at level 5
|
|
0:29:51
|
here if we show run in privilege
|
|
0:29:58
|
we see show is at zero
|
|
0:30:00
|
but show ip is at 5
|
|
0:30:03
|
show ip route is at 5 also, this is what I want
|
|
0:30:06
|
but I still want them to able to run other show ip commands
|
|
0:30:09
|
means that I am going to have to move that one back down
|
|
0:30:12
|
So I will say show plus its argument
|
|
0:30:13
|
ip thats back at level zero
|
|
0:30:17
|
So now the users should be able to say show router cep
|
|
0:30:22
|
but not show ip route
|
|
0:30:27
|
so again you technically can't accomplish this by using the local
|
|
0:30:30
|
local privilege levels
|
|
0:30:32
|
on the router
|
|
0:30:33
|
but it becomes very cumbersome
|
|
0:30:36
|
because you have to look at the individual arguments
|
|
0:30:39
|
of what you do or do not want the users to be authorized to run
|
|
0:30:45
|
So again this is controlling
|
|
0:30:47
|
what the level the command is
|
|
0:30:50
|
this does not control what privilege the user has
|
|
0:30:54
|
that is what our exact
|
|
0:30:56
|
authorization would be used for
|
|
0:30:59
|
So the privilege command this is for the command authorization
|
|
0:31:03
|
the exec authorization is going to control
|
|
0:31:06
|
when the user logs in what
|
|
0:31:08
|
privilege level are they assigned
|
|
0:31:11
|
Now we say when the user from router 2
|
|
0:31:15
|
telnetted into router 1
|
|
0:31:17
|
it logged in a cisco cisco
|
|
0:31:19
|
and we said show privilege
|
|
0:31:22
|
they were given level 1 by default
|
|
0:31:25
|
this is because on router1
|
|
0:31:27
|
the username command, we show run include user
|
|
0:31:33
|
this is a default privilege of 1
|
|
0:31:37
|
Now we can't change this
|
|
0:31:39
|
so that when we are doing the local
|
|
0:31:42
|
exec authorization
|
|
0:31:44
|
excuse me, the local exec authentication
|
|
0:31:47
|
So the username and password
|
|
0:31:48
|
that we can also do the exec
|
|
0:31:50
|
authorization, which is giving them the privilege number
|
|
0:31:54
|
So I can say username cisco, its privilege level 5
|
|
0:31:59
|
So when the user logs in
|
|
0:32:03
|
if we show privilege
|
|
0:32:06
|
they are given privilege level 5
|
|
0:32:10
|
sometimes you will see this done like on the console
|
|
0:32:13
|
where we say for, once the exec
|
|
0:32:16
|
authentication happens
|
|
0:32:18
|
then automatically authorize them to this
|
|
0:32:21
|
privilege level, we will say privilege level 15
|
|
0:32:25
|
So now if I exit out of the console and come back in
|
|
0:32:28
|
it should automatically put me into privilege 15
|
|
0:32:35
|
but the key is that you need to make the distinction here, they are technically two separate operations
|
|
0:32:40
|
for the exec authorization
|
|
0:32:43
|
and the command authorization
|
|
0:32:46
|
where the exec authorization is the one that is giving them the privilege number
|
|
0:32:50
|
but the command authorization
|
|
0:32:53
|
is the one that is controlling
|
|
0:32:56
|
who can actually issue the commands or not
|
|
0:33:02
|
Now when we look at our remote
|
|
0:33:04
|
authentication and our remote authorization through RADIUS and TACACS
|
|
0:33:08
|
the reason that this is important
|
|
0:33:10
|
is that RADIUS can do this for you
|
|
0:33:14
|
which is giving you the privilege number
|
|
0:33:17
|
but RADIUS cannot
|
|
0:33:18
|
authorize for the individual commands
|
|
0:33:23
|
however with TACACS
|
|
0:33:25
|
TACACS can do both the exec
|
|
0:33:27
|
authorization and the command authorization
|
|
0:33:31
|
so it says when you login to TACACS, this is the privilege number you get
|
|
0:33:35
|
and then this is your command authorization set
|
|
0:33:38
|
So these are the specific commands, you either
|
|
0:33:40
|
can or cannot issue
|
|
0:33:46
|
Now the other variation of us doing this locally
|
|
0:33:49
|
is known as the role based access controller or the role based CLI
|
|
0:33:53
|
which is essentially is a replacement for this privilege level
|
|
0:33:56
|
because it makes it a little bit more flexible
|
|
0:33:58
|
as to how the commands are
|
|
0:34:00
|
allocated to the individual users
|
|
0:34:04
|
now the key point about the role based CLI
|
|
0:34:08
|
is around this
|
|
0:34:09
|
term that we have the parser view
|
|
0:34:14
|
Now an individual users role
|
|
0:34:16
|
is based on the 'parser view' that they are assigned
|
|
0:34:21
|
the parser view is going to determine what particular commands they can or cannot issue
|
|
0:34:26
|
So the difference is that the role based CLI
|
|
0:34:29
|
is a group based command authorization
|
|
0:34:33
|
as opposed to the
|
|
0:34:34
|
the user based authorization that we could do with
|
|
0:34:38
|
TACACS or that were doing
|
|
0:34:41
|
here locally with the, the privilege level
|
|
0:34:43
|
privilege numbers onto the usernames
|
|
0:34:48
|
so we don't necessary need to assign the user a privilege number
|
|
0:34:51
|
when they authenticate, we are just going to assigning them to the parser view
|
|
0:34:55
|
the parser view is then going to
|
|
0:34:57
|
going to determine
|
|
0:34:58
|
what are the individual commands that user can issue
|
|
0:35:02
|
Now we can switch between the
|
|
0:35:04
|
parser views or the roles
|
|
0:35:07
|
by issuing the enable view command manually on the command line
|
|
0:35:10
|
or we can assign it them when they login
|
|
0:35:14
|
so as part of the exact authorization
|
|
0:35:18
|
we are going to give them the particular parser view
|
|
0:35:24
|
now configuration of this is first done
|
|
0:35:26
|
under what is known as the root view or the enable view
|
|
0:35:30
|
you can think of this as one hierarchy above all of the other roles
|
|
0:35:35
|
So its the root of the authorization configuration, this is where we actually define the roles
|
|
0:35:40
|
but this configuration even if we are doing it locally
|
|
0:35:44
|
it does require the AAA be enabled on the routers
|
|
0:35:50
|
now documentation wise if we were to go to the main
|
|
0:35:53
|
IOS documentation
|
|
0:35:56
|
then down to security
|
|
0:35:57
|
and securing user services
|
|
0:36:00
|
thats where all of these type of configuration are going to be documented
|
|
0:36:05
|
like the securing user services overview
|
|
0:36:08
|
this is a pretty good document you may want to spend some time reading through
|
|
0:36:12
|
just to talk about some of the differences between RADIUS and TACACS
|
|
0:36:16
|
and some of the new minor
|
|
0:36:18
|
changes in the recent versions like their login enhancements, the resilient configuration
|
|
0:36:23
|
to good idea to know that these
|
|
0:36:25
|
features are available
|
|
0:36:27
|
but here with the role based cli access
|
|
0:36:30
|
this is what is the
|
|
0:36:31
|
either the Role Based CLI or the Role Based Access Control, the RBAC
|
|
0:36:36
|
Now if we look at their particular examples
|
|
0:36:40
|
it says that
|
|
0:36:42
|
I have a CLI view that is named first
|
|
0:36:46
|
for this view called first
|
|
0:36:49
|
users who are authorized there are able to run the show version
|
|
0:36:53
|
or they are able to run computer terminal
|
|
0:36:56
|
and they are able to run all
|
|
0:36:58
|
show ip commands
|
|
0:37:00
|
So any arguments that is under show ip, we are able to use
|
|
0:37:05
|
then someone who is in the
|
|
0:37:06
|
parser view called second
|
|
0:37:09
|
they are able to say show ip interface
|
|
0:37:13
|
but this is an exclusive assignment
|
|
0:37:16
|
which means although that someone who is in
|
|
0:37:19
|
parser view first
|
|
0:37:20
|
they are able to run all show ip commands
|
|
0:37:23
|
and this one, this particular argument, show ip interface
|
|
0:37:26
|
is reserved just for this individual view
|
|
0:37:31
|
Now you also have the option to say commands exclude
|
|
0:37:36
|
So if you are including everything, then you can selectively
|
|
0:37:39
|
exclude an individual command that you do not
|
|
0:37:41
|
want them to use
|
|
0:37:43
|
and you could also combine these together
|
|
0:37:46
|
into what is known as the
|
|
0:37:50
|
the super view
|
|
0:37:52
|
where a super view is essentially a grouping of
|
|
0:37:55
|
other views together
|
|
0:37:56
|
where this one says, superview
|
|
0:37:58
|
called su_view1
|
|
0:38:01
|
can run whatever commands that view_1
|
|
0:38:03
|
and view_2
|
|
0:38:06
|
are authorized for
|
|
0:38:08
|
then view2 is able to run whatever commands view3 and view4
|
|
0:38:12
|
are authorised for
|
|
0:38:19
|
so lets go through a basic example of this
|
|
0:38:22
|
or the user's login and they are going to be assigned to different views
|
|
0:38:25
|
based on their login authentication
|
|
0:38:28
|
and you could use this
|
|
0:38:30
|
this example here, they are having here as
|
|
0:38:33
|
part of our template
|
|
0:39:21
|
So here we have two different views
|
|
0:39:23
|
the first one is called first
|
|
0:39:25
|
the second one is called the second
|
|
0:39:28
|
they have two different passwords assigned with them
|
|
0:39:30
|
first pass and second pass
|
|
0:39:32
|
we are saying that when someone authenticates and is assigned to the view first
|
|
0:39:36
|
they can show version, they can go to global config
|
|
0:39:41
|
and they can run all show ip commands
|
|
0:39:44
|
but the second one
|
|
0:39:47
|
is able to issue show ip interface
|
|
0:39:51
|
and the first one should not be able to, because this is an include exclusive
|
|
0:39:55
|
then these users are able to log out
|
|
0:39:59
|
where the other ones actually won't be able to issue that command
|
|
0:40:03
|
So lets enter these, here lets try this on
|
|
0:40:05
|
lets say router2
|
|
0:40:09
|
where the first thing we need to do
|
|
0:40:11
|
is to turn on AAA
|
|
0:40:14
|
we need to say AAA new model
|
|
0:40:19
|
then we issue the enable view command
|
|
0:40:23
|
which uses our same global enable password
|
|
0:40:26
|
but that was putting us into the root view
|
|
0:40:29
|
if we look at the show parser view
|
|
0:40:33
|
this is going to show what our current assignment is
|
|
0:40:43
|
here it says, parser view first secret first
|
|
0:40:46
|
first pass the secret you entered is not a valid encrypted secret
|
|
0:40:50
|
to enter an unencrypted secret, do not specify the type 5 encryption
|
|
0:40:54
|
basically this error message means that this example is wrong
|
|
0:40:57
|
it is 5, should not be there
|
|
0:41:07
|
so we have two separate views, lets say show run section parser
|
|
0:41:13
|
are two separate views, its automatically converting these to secrets
|
|
0:41:17
|
from my clear text inputs
|
|
0:41:21
|
but the first user should be able to go to global config
|
|
0:41:24
|
show version
|
|
0:41:26
|
run all show ip commands
|
|
0:41:28
|
the second view is going to be able to say show ip interface
|
|
0:41:32
|
Now there is two different ways that we can get into
|
|
0:41:35
|
these 'parser views'
|
|
0:41:38
|
So lets say on router3 we telnet to router2
|
|
0:41:44
|
if we show privilege
|
|
0:41:46
|
right now we are at level 1, which is default
|
|
0:41:49
|
if we say enable view and then the name
|
|
0:41:53
|
which is the first one is first view
|
|
0:41:56
|
and the password is, actually the view name is first
|
|
0:42:00
|
that the password is first pass
|
|
0:42:04
|
So enable view first
|
|
0:42:06
|
password is firstpass
|
|
0:42:08
|
if we show parser view
|
|
0:42:10
|
Now we are in that view first
|
|
0:42:13
|
the commands that we can issue
|
|
0:42:15
|
are show
|
|
0:42:17
|
ip
|
|
0:42:19
|
and we could see all of the
|
|
0:42:22
|
sub arguments
|
|
0:42:24
|
So if I say show ip route
|
|
0:42:28
|
show ip interface brief
|
|
0:42:31
|
I am able to issue
|
|
0:42:32
|
all of those except
|
|
0:42:35
|
show ip interface
|
|
0:42:38
|
So show ip route was allowed, show ip cef should be allowed
|
|
0:42:43
|
show ip igmp
|
|
0:42:46
|
groups, thats going to be allowed
|
|
0:42:49
|
but show ip interface is not, so any sub command out of this
|
|
0:42:54
|
it also says that I should be able to say show version
|
|
0:42:57
|
and go to global config
|
|
0:42:59
|
So lets say config
|
|
0:43:02
|
config t
|
|
0:43:04
|
Now from here
|
|
0:43:06
|
its kind of are, why they are showing this in the example because
|
|
0:43:10
|
I am authorized to get to global config
|
|
0:43:13
|
but once I am there, I am not actually authorized to do anything
|
|
0:43:19
|
So the parser view is very strict about
|
|
0:43:21
|
what commands you are allowed or disallowed to run
|
|
0:43:26
|
by default whatever commands is there
|
|
0:43:28
|
that its saying, you are included to do
|
|
0:43:32
|
there is always an implicit deny at the end
|
|
0:43:36
|
So I have included these three values
|
|
0:43:39
|
but it means that I am excluding everything else
|
|
0:43:42
|
the same is going to be true for the other user
|
|
0:43:46
|
Now if we try to exit out of the command line
|
|
0:43:50
|
we could see, we are able to exit there
|
|
0:43:52
|
but if we were to say
|
|
0:43:56
|
lets say enable view first
|
|
0:44:00
|
with first pass
|
|
0:44:02
|
if we say logout
|
|
0:44:04
|
we are not authorized to run that command
|
|
0:44:07
|
Now you can end up in some interesting situations in this
|
|
0:44:10
|
where you can actually de authorize yourself from exiting out of the console
|
|
0:44:16
|
or you can lock yourself
|
|
0:44:17
|
out of an individual line
|
|
0:44:20
|
So before you make any of these type of changes with AAA, make sure that you save your configuration
|
|
0:44:24
|
So that if you do lock yourself out
|
|
0:44:27
|
you know that you can revert back to a well known
|
|
0:44:30
|
working configuration later
|
|
0:44:33
|
and there is a worst case scenario for this
|
|
0:44:35
|
you can run the configuration roll back
|
|
0:44:40
|
or you can say reload in
|
|
0:44:44
|
or I could say reload in
|
|
0:44:47
|
lets say 05
|
|
0:44:52
|
So now the routers is going to reload in 5 minutes unless I say reload cancel
|
|
0:44:58
|
So if you are making some sort of authentication change and you are not 100% sure its going to work
|
|
0:45:02
|
then you could
|
|
0:45:03
|
as a worse case scenario, just reboot the router to your well known
|
|
0:45:06
|
working configuration, previous to that
|
|
0:45:11
|
okay, so lets telnet back to router2
|
|
0:45:14
|
and lets try the other view, where the
|
|
0:45:16
|
other view is name second
|
|
0:45:21
|
with second pass
|
|
0:45:29
|
enable view second, second pass
|
|
0:45:33
|
says I should be able to show ip interface
|
|
0:45:37
|
which I can
|
|
0:45:39
|
is going to allow me to show ip route though, no
|
|
0:45:43
|
because this particular user was not
|
|
0:45:44
|
included to run that command
|
|
0:45:48
|
I should not be able to say clear ip route
|
|
0:45:51
|
or show run
|
|
0:45:54
|
or
|
|
0:45:55
|
show ibgp neighbours etc
|
|
0:45:58
|
So I am only authorized for the individual commands that
|
|
0:46:01
|
that are listed in the parser views
|
|
0:46:05
|
So again if you are to do this locally
|
|
0:46:08
|
probably your better choice is to use the role based CLI versus using the privilege levels
|
|
0:46:13
|
because the hierarchy of the privilege level becomes too complex
|
|
0:46:16
|
anytime you have more than, lets say, three users
|
|
0:46:20
|
but with the parser views its
|
|
0:46:21
|
arbitrary as to the particular commands they are either authorized or de authorized to run
|
|
0:46:28
|
the other thing that you may need to know here is how do you actually assign the user
|
|
0:46:32
|
to the individual role
|
|
0:46:35
|
when they login
|
|
0:46:36
|
So lets say that we have two users
|
|
0:46:38
|
username first
|
|
0:46:40
|
password cisco
|
|
0:46:41
|
and username second
|
|
0:46:45
|
password cisco
|
|
0:46:47
|
for username first
|
|
0:46:50
|
I want to
|
|
0:46:52
|
send them to the role
|
|
0:46:55
|
or the parser view
|
|
0:46:58
|
user first the view
|
|
0:47:02
|
I want them to have the first view
|
|
0:47:04
|
then username second, I want them to have them the second view
|
|
0:47:11
|
So now ideally, once we telnet to router2
|
|
0:47:15
|
login is first
|
|
0:47:17
|
and show parser view
|
|
0:47:20
|
I want this user to be
|
|
0:47:22
|
to be assigned to the first view
|
|
0:47:25
|
we could see its not
|
|
0:47:27
|
they would want to telnet in here and login as second
|
|
0:47:31
|
then show parser view
|
|
0:47:33
|
they are not assigned to a parser view
|
|
0:47:37
|
and I am not 100% sure of the documentation shows you what to do
|
|
0:47:43
|
lets search for AAA
|
|
0:47:47
|
authorization, actually it does not show
|
|
0:47:49
|
because the
|
|
0:47:52
|
the problem we are running into, and we are going to talk about this a little bit later, when we get into more details with the remote
|
|
0:47:58
|
authentication and authorization
|
|
0:48:00
|
is on router2
|
|
0:48:02
|
in order to turn the Role Based CLI on
|
|
0:48:05
|
we had to enable AAA
|
|
0:48:08
|
So if we show run include AAA
|
|
0:48:12
|
says AAA is on
|
|
0:48:14
|
but we do not have any specific methods
|
|
0:48:17
|
to find for AAA
|
|
0:48:19
|
So the authentication, the authorization, we have none of these defined
|
|
0:48:24
|
by default the router is always going to check
|
|
0:48:27
|
the local database for authentication
|
|
0:48:31
|
but it is not configured for exact
|
|
0:48:34
|
authorization
|
|
0:48:36
|
which is what the problem we have here is
|
|
0:48:39
|
if I want to assign an individual privilege number
|
|
0:48:43
|
or a particular parser view
|
|
0:48:45
|
I now need to tell the AAA process to look at the local database for that
|
|
0:48:51
|
and the local database, here if we show run include username
|
|
0:48:56
|
is made up of
|
|
0:48:57
|
the username and password for the authentication
|
|
0:49:01
|
then the view, this is part of there authentication
|
|
0:49:06
|
Now the same would be true if I said username five
|
|
0:49:10
|
password
|
|
0:49:13
|
password cisco, username five
|
|
0:49:17
|
privilege 5
|
|
0:49:20
|
then if I log in as this user
|
|
0:49:22
|
five, password cisco
|
|
0:49:24
|
when I show privilege
|
|
0:49:27
|
I am at level one
|
|
0:49:28
|
not at level 5
|
|
0:49:32
|
which based on this configuration you would assume that when this user logs in they are going to get privilege level 5
|
|
0:49:38
|
but they are actually not, because AAA is not configured to assignment
|
|
0:49:43
|
So what I would need to add here under global config
|
|
0:49:47
|
is AAA
|
|
0:49:48
|
authorization for the exec process
|
|
0:49:51
|
which again remembers what is used to
|
|
0:49:53
|
to assign the privilege number
|
|
0:49:55
|
or in this case also the role or the view
|
|
0:49:58
|
So AAA authorization exec, I want to check the
|
|
0:50:02
|
local database, so by default
|
|
0:50:04
|
go to the local database
|
|
0:50:11
|
So now if I telnet in, I log in as 5
|
|
0:50:14
|
password cisco, show privilege
|
|
0:50:17
|
I am getting privilege 5
|
|
0:50:20
|
If I were to log in as
|
|
0:50:23
|
first
|
|
0:50:25
|
and show parser view
|
|
0:50:30
|
I am in the view first
|
|
0:50:32
|
because now we are saying in addition
|
|
0:50:34
|
to looking for the
|
|
0:50:38
|
just the authentication
|
|
0:50:40
|
which is their usernames and their passwords
|
|
0:50:43
|
the exec authorization
|
|
0:50:46
|
is what is assigning either the privilege number
|
|
0:50:49
|
or the view
|
