Home   | CCNA Certification  |   CCNP Training   | CompTIA |  Boot Camps  |  Free Tutorials   | MS Vista | About Me

 

The Bryant Advantage Bulldog Blog

Chris Bryant's Facebook Fan Page

Join Me On Twitter For CCNA and CCNP Updates!

Over 500,000 Views On Our Video Training Channel!

Subscribe To My RSS Feed!

Network With Me On Linkedin!

 
  More Testimonials >
Visit my blog for free daily Cisco CCNA and CCNP certification questions, my latest free articles and tutorials, and more!


 

 

CCNA Security Certification And CCNP SWITCH Tutorial:

The "Authorization" In AAA

Chris Bryant, CCIE #12933

 

In the first installment of this CCNA Security AAA tutorial, we took a look at the first "A" - Authentication - and defined exactly what role that "A" plays in network security.

Today's "A" is for Authorization - - and the natural question is "Aren't Authentication and Authorization the same thing?"

Not quite! Authentication decides whether a given user should be allowed into the network; Authorization dictates what users can do once they are in.

AAA Authorization

 

The aaa authorization command creates a user profile that is checked when a user attempts to use a particular command or service. 

As with Authentication, we'll have the option of creating a default list or a named list, and naturally AAA must be globally enabled with the aaa new-model command before you begin your Authorization configuration.

R1(config)#aaa new-model


R1(config)#aaa authorization ?
  auth-proxy       For Authentication Proxy Services
  commands         For exec (shell) commands.
  config-commands  For configuration mode commands.
  configuration    For downloading configurations from AAA server
  exec             For starting an exec (shell).
  network          For network services. (PPP, SLIP, ARAP)
  reverse-access   For reverse access connections

R1(config)#aaa authorization exec ?
  WORD     Named authorization list.
  default  The default authorization list.

R1(config)#aaa authorization exec default ?
  group             Use Server-group
  if-authenticated  Succeed if user has authenticated.
  local             Use local database.
  none              No authorization (always succeeds).

Now we're going to revisit an old CCNA friend... privilege levels.

Privilege Levels And AAA Authorization

Privilege levels define what commands a user can actually run on a router.   There are three predefined privilege levels on Cisco routers, two of which you've been using since you started your Cisco studies - even if you didn't know it! 

When you're in user exec mode, you're actually in privilege level 1, as verified with show privilege :

R2>show privilege
Current privilege level is 1

By moving to privileged exec mode with the enable command, you move from level 1 to level 15, the highest level:

R2>show privilege
Current privilege level is 1
R2>enable
R2#show privilege
Current privilege level is 15

There's actually a third predefined privilege level, Level Zero, which allows the user to run the commands exit, logout, disable, enable , and logout.  Obviously, a user at Level Zero can't do much.

There's a huge gap in network access between levels 1 and 15, and the remaining levels 2-14 can be configured to fill that gap. 

Levels 2 - 14 can be configured to allow a user assigned a particular privilege level to run some commands, but not all of them. 

Assume you have a user who should not be allowed to use the ping command, which by default can be run from privilege level 1:

R2>ping 172.1.1.1      (Success of the ping has been edited)

By moving the ping command to privilege level 5, a user must have at least that level of privilege in order to use ping.  To change the privilege level of a command, use the privilege command.  (IOS Help shows approximately 30 options following privilege, so I won't put all of those here.)

R2(config)#privilege ?
  address-family     Address Family configuration mode
  configure          Global configuration mode
  congestion         Frame Relay congestion configuration mode
  dhcp               DHCP pool configuration mode
  exec               Exec mode  

R2(config)#privilege exec ?
  level  Set privilege level of command
  reset  Reset privilege level of command

R2(config)#privilege exec level ?
  <0-15>  Privilege level

R2(config)#privilege exec level 5 ?
  LINE  Initial keywords of the command to modify

R2(config)#privilege exec level 5 ping

A user must now have at least a privilege level of 5 to send a ping.  Let's test that from both level 1 and 15.

First, from level 1:

R2>ping 172.1.1.1
        ^
% Invalid input detected at '^' marker.

And now from level 15:

R2#ping 172.1.1.1    (Success of ping edited)

Note the user at Level 1 is not told they're being denied access to this command because of privilege level.  The ping works successfully from Level 15.

There are two options for assigning privilege levels to users, one involving AAA and one not.  To enable AAA Authorization to use privilege levels, use the aaa authorization command followed by the appropriate option:

R2(config)#aaa authorization ?
  auth-proxy         For Authentication Proxy Services
  commands           For exec (shell) commands.
  config-commands    For configuration mode commands.
  configuration      For downloading configurations from AAA server
  exec               For starting an exec (shell).
  network            For network services. (PPP, SLIP, ARAP)
  reverse-access     For reverse access connections

The full command to use the TACACS+ server to assign privilege levels, followed by the local database, is as follows:

R2(config)#aaa authorization commands 5 default group tacacs+ local

Getting authorization to work exactly the way you want it to does take quite a bit of planning and testing due to the many options. Don't become (too) frustrated if you don't get the desired results the first time around - this usually takes a bit of fine-tuning.

Privilege levels can also be assigned via the router's local database.  To do so, use the privilege option in the middle of the username/password command.

R2(config)#username chris privilege 5 password bryant

That would assign a privilege level of 5 to that particular user,and they could use all commands that have a privilege level of 5 or lower...not just the commands with a privilege level of exactly 5.

The Authorization feature of AAA can also assign IP addresses and other network parameters to Mobile IP users.   How this occurs is beyond the scope of the CCNA Security or ISCW exam, but you can refer to RFC 2905 for more details.  Perhaps more details than you'd like to know!

Two "A"s down, one to go! We'll take on the third "A" in the next CCNA Security / CCNP ISCW tutorial.

 

I'm Paying It Forward Bigger Than Before.

My Famous CCNA Study Package Is Now $25.

CCNA Exam Study Package CCNA Boot Camp On-Demand

Thanks for making The Bryant Advantage part of your CCNA Security and CCNP studies!

Chris Bryant

CCIE #12933

"The Computer Certification Bulldog"

chris@thebryantadvantage.com

 

No Gimmicks -- Just Results.

Get CCNA Security Certified Today For $20.

CCNA Security Study Package

 

CCNP ISCW Study PackageCCNP Certification Exam Study Bundle

 

 

The Ultimate CCNA Study Package | The Ultimate CCNA Study Guide

Binary Math And Subnetting Mastery

Cisco Rack Rentals

CCNP BSCI Exam Study Package

CCNP BCMSN Exam Study Package

CCNP BCRAN Exam Study Package

CCNP CIT Exam Study Package | CCNP BSCI Exam Study Guide

CCNA CBT Video Boot Camp | CCNP BSCI Video Boot Camp

Cisco Training Tutorials And Cisco Certification Articles

CCNP CBT BCMSN Video Boot Camp | CCNP CBT BCRAN Video Boot Camp

CompTIA Network+ Exam Study Package

CompTIA Security+ Exam Study Package

CompTIA A + Certification Exam Study Package

CCNA Training Store | CCNP Certification Training Store

CompTIA Certification Training Store

Cisco Lab Router And Switch Home Lab Help

Site Map | Home Page | Testimonials

Microsoft Windows Vista Certification Updates And News

The Bryant Advantage Blog | About Chris Bryant, CCIE #12933