Cisco CCIE Security 350-701 – AAA Authorization Part 2

3. Local Authorization using Privilege Levels

Now in this video, we’ll see some local authorization by using privilege levels and these privilege levels are configured on the local router. So in this example, I’m going to configure some privilege levels. So I’ll create some two user accounts, user two and the user file, and then we’ll assign different privilege levels to them. Like user two will be assigned with the privilege level of two and the user file will be assigned with the privilege level of file.

And then we’ll allocate some commands to the specific users to the specific privilege levels and whichever the user assigned with the plural of two will be able to execute these commands. Likewise, whichever the user assigned with the privilege level of five will be allowed to access only the specific commands which we have defined here. And then we’ll enable the authorization finally after that. And then we’ll verify finally from the router, I’ll try to turn it, or maybe from the router two, I’ll try to turn it and verify by using these user accounts. So let’s get started here. So I have this preconfigured topology here on the router.

So we’ll go to router one. If you verify the basic initial configurations, like on the router one, I do have this initial configuration present and hopefully I should be able to ping to the router two to confirm the connectivity between the router one and the router two. So before you go ahead and create anything, make sure that you have an admin account with a privilege level of 15 so that I can make some changes in the future. Because if you don’t create an admin account with the privilege of 15, then you may end up lock yourself. So we need to say cisco, let’s say the admin password is nya one, two, three. The next thing we’ll create some user accounts. So I’m going to create a user with a user two and I’m going to assign the privilege level of two.

And as well as the password, just I’m using user tribal to make it easier to remember. So likewise I’m creating a user file with a password, with a privilege level of file and then it will be using a privilege of file and the username is user file. So up to now, we didn’t assign any specific commands, which means these users, if I try to log in with these user accounts, so these users can issue all the commands inside the privilege of one. So apart from that, any other commands they cannot access. So if you want to test it out, we can go to router tool and actually I didn’t enable the login local option, so we can go to VDP line and we can simply say login local just for testing purpose.

You can simply say login local to use a local user account. Of course we can also enable triple A authorization to do this. So let me just go and assign the privilege level first before I verify anyway, so privileged level. So initially we want privilege level should be assigned here like the user two should be able to execute showrun show startup commands because these commands are not available on the level one. So this user can use this to show commands and then he can make changes, like he can change the host name and in order to change the host name he must be allowed to enter the global configuration mode. So which means this user can use show run in the privilege mode and then he can also use show startup config.

At the same time he can execute a command called config t and once you go to the configure terminal and then he can change the host name inside the global configuration mode and also he should come back and he can use right command write command to write memory to save the configurations. Now, the first thing we need to figure out that those commands comes in which modes. Like if you see these four commands, these four commands comes in the privilege mode and this command comes in the global configuration mode. So depending upon which mode the actual command comes, we need to select the option here like privilege exec. So if you’re using any specific commands relating to the privilege mode, we use privilege exec and then define the level.

And then we need to type down the exact shortcut or the exact command and then any specific commands which comes inside the global configuration mode because this commander below config hash the host name command, so that command should be given as privileged config the level and then define the host name, the command. So likewise, if you are defining any commands which comes under the interface like these two commands diapers and the shutdown noshoton commands, this comes under the interface level config if now depending upon the command we need to select the option here interface. So likewise this comes in the router mode and if any commands comes inside the router mode, we need to say privilege router. So basically you need to know these modes. Like the first thing you need to know which command comes in which mode and based on that, while you’re assigning the privilege levels, you need to specify that mode and then use quotient marks to find the next objects.

Like in my case I want the router one to be configured with some privilege levels, let’s say. So already I have created a user account, I will create a privilege and then whatever the commands like in my case initially I want these four commands, this comes under exec mode is a privilege mode, so we’ll see exec and which level. In my case I’m going to start with level two and then whatever the command like I want to give show run and then show startup, show start and of course other commands like I want you should be able to save the configurations and then also should be allowed to go into global concentration mode.

Again, if you don’t allow the user to go into the global confession mode or use this command in the privilege level, you cannot allow the user to change the host name also. And then we need to say privilege and inside the configure mode. So you can always use question marks to find the possible options over there.

So configure and then the level two, the host name element and likewise I’m going to do the same thing for the level user file, user file account I already created. So I’m going to assign some specific commands here. Of course I can go and configure, let me just go and test it out this user two login. Now to test it out, either you can simply go to the router line VTVL line VTV. I can simply say logging local because already we are using local user accounts with the privilege that was assigned.

So if you’re using local then probably you don’t need to enable the authorization in general for testing out these features, but it’s something recommended. So what I’ll do is I’ll go and enable the triple A first to test it out, this one AAA authentication and the login must use the name as CCI and it is using the local authentication, same as what we did in the authentication topics. And also I want to enable the authorization. Now the authorization has to be enabled for exec, for starting exec shell. So I’m going to say CCI and local and then we need to apply this on the VDP line authentication and the user will be authenticated based on the list CCI and also authorized exec shell with a CCI here.

Now for testing wise, either we can go to router two and I can initiate a tenant connection on the router one or I can use my PC. So let me use the PC here. So I’ll try to go to my IPC and test the connectivity between the router and the PC and then I’ll be using some kind of puti software here and I’ll type in the IP address of the router on port number 23, initiating internet connection because I have not enabled any SSH here. So we’ll open up the connection. So I should see the user name and I’m going to use the username as user two and the password is also user triple two. Now I can see if I say show privilege. So whenever you log in with the user two, because this user two is assigned with a privilege level of two and it shows up the frivolous level of two and he can execute all the commands which are already present in the privilege level of one.

Like he can use show IP interface brief because this command is already allowed in the privilege level of one, which means the user assigned in the privilege level of two can automatically access all the commands of privileged level of one, but the user assigned the privileged level of one will not be able to access any commands on the higher level.

So that’s the reason we don’t need to specifically define all the commands in general, the basic commands which are already available on the privilege level of one. And he can also use show running config and also he can use show startup config because these commands have configured to use this commands here. At the same time he should be able to make some changes by getting into the global configuration mode. Like he can change the host name as router one, let’s say.

At the same time, if I try to execute some other commands like the router rip or any other commands which are not defined, which are not available in the level one and which are not defined in the privilege of two, this user will not be able to access. So likewise, if we can simply go and configure the same thing with the user file. So try to create these commands and you can also verify the same with the user with the parallel of file as well.

So likewise what I’m doing is I already have this commands in the notepad here, so I’m going to copy paste this commands on the router one because we are trying to assign some specific commands in the privilege level of file. And then for testing, I can go to my putty or I can do it from the router two as well. So let me try from the router two to route two telemetry router one and this time I’m going to use a user file, user file, I think I misstimed the password.

So let me try user file and if I say show privilege here to verify the privilege, so it automatically assigns the privilege level of file. So one thing you need to notice here, like if any user is assigned with a privilege level of two or more than two, automatically he goes into this privilege mode. So there’s no more enable password is prompted in general. So if any user is assigned with the privilege level of one, he will go to this mode first and then we need to type into enable to go to the next mode in general. And now he can execute all the commands which are defined inside the privilege lock two automatically.

So we don’t need to specify once again, so he can go and change the host name at the same time you can save the configurations, you can also execute show run or show startup configurations because these commands are already defined in the privilege level of two. So which means the privilege level of the user with a privileged level of five can automatically access all the commands defined in the two. At the same time, he can also execute the command which I defined here, like given IP route command like static routing so he can make some changes in the static route. He can go to the interface and shut down, or not shut down the interface and also he can go inside the router mode and he can advertise specific networks. So let’s write some rough static routes.

So I don’t have any specific routes, so I can just write a rough static route. You can see it’s working. I can execute those commands at the same time. I can go to any one of the interface, so I’ll use s one one interface, which I’m not using shut down interface or just simply say no shut down. Suppose I’m on the router two, actually, so anyway I’m on the router one via VTW line so you can go with the console and verify the same. So likewise I can also go inside sorry, currently I’m on the user file. At the same time I can also get into the router mode and I can use router Rap so I cannot use version two because the version two command is not specifically defined inside the gear. So I cannot use version two, so I can still advertise networks.