Cisco CCIE Security 350-701 – AAA Authorization
Authorization for device access. Like in the previous sections, we have seen how to authenticate the users by using the local or the external database. Now, once the user gets authenticated, you may also want the user to be authorized. Like authorization is less like restricting a user to use any specific commands after successful authentication. Like if you take an example, you may have some different group of engineers, like level one, level two, level three engineers, and you want the level one engineers.
The group of level one engineers should be assigned some basic commands. Like they can, they can only use some basic show commands, ping or trace commands, some basic troubleshooting, but they cannot make any changes. So I want to make sure that these users in this specific group should not be able to make any changes and I want to restrict them to specific basic show commands. At the same time, I have a separate group of engineers who are level two engineers and I want them to do everything what the level one engineers can do.
At the same time, they can make changes to the configurations, let’s say, the routing configurations. They can make changes to router ehrpos for any specific routings, but they cannot make any changes to other related things like VPNs or security stuff because we have a separate engine to manage that. And also they cannot erase any configurations. So likewise, we have a level three engineers, they can do almost all the tasks, A to Z, except some few tasks, let’s say, or you have a security group of engineers. Their responsibility is to make changes to the VPNs ACLs. They can modify some policies, but they cannot make any changes to the routing configurations, let’s say.
So once the user gets authenticated, it is very important to make sure that they’re also authorized so that we can give some level of access to those users, like the bandwidth. These are the permissions security operator engineers, we want to give these permissions. So again, just like authentication, we can either use a local database because once the user is going to type any command, it’s going to compare because here what we’ll do is we’ll create a user and we’ll assign something like privilege levels. We’ll talk about more on this in the next videos.
Now, when a user type in any specific command, it’s going to verify what is the privilege level assigned to that and what are the commands associated to that privilege level. And based on that, the user will be only able to execute only the commands which are defined in that privilege level which is associated to the user. And again, to do this, we can either use the local database, I can configure the router and the privilege levels and define the command minds, everything. We can do it locally.
Privilege levels. Now using iOS privilege levels, administrator will actually define what commands the user can execute. Like, let’s say I got a level one engineer and I want to make sure that this level one engineer should be able to execute only basic show commands and just basic ping or trace route commands. So I’ll create a user account and will assign some level to that and that level, let’s say level two, level three sum numbers and in that privileged level we are going to define what commands the user is going to execute. So our job is to associate the user with some privileged level and based on the privileged level commands mentioned by the administrator, only those commands will be allowed. Again, as I discussed, this authorization can be either done by the local device where we can create the privilege levels and define the commands and associate them with the user by using the local database or we can do it by using ACS servers, by using tags. Now, before we go ahead with the configuration, we need to understand the default iOS privilege levels. Now we got some default print levels like zero, which is almost like no access. And the levels will be from zero to 16 in that these are the default levels, like privilege level one. So when the user is in this user mode, you know, this user mode is the default mode you see first time when you log in on the router.
And here you have very basic level commands, like basic show commands. You can use ping trace commands, but you cannot use all the show commands. All the show commands are not allowed in this mode. You cannot use showrun, you cannot use show startup config. But if you want to execute all the show commands, you will be going to the next mode and we use a command called enable. So by default, if you are in this user mode, the default level in that mode will be level one. And once you use the enable command and you’ll go to the next mode, that is your privilege mode or hash mode and the user will be automatically assigned the level of 15.
Now, 15 is like full access. The user can execute all the commands. Now the levels between two to 14 are referred as customized levels. Now customers levels are nothing. But let’s say because here the user level one will have very basic commands and the level 15 have full access. But you may want to give a user a specific commands access, not all the commands, not basic commands in in between that. So we can create something like level five and I can associate some commands to the level five and I can create a level six and I can associate some commands to the level six.
So one drawback with this privilege level is by default the higher level users. Like, let’s say I have a user six who is assigned to the level of six, he can automatically use all the or execute all the commands which are defined in the privilege level file, but the privilege level file do not have access to privilege level six commands. Of course we’ll talk about more on this in the limitations. So if you just go and verify this same thing here, let’s go to the command line here. Now on the router if I say show run I’m into the GNS three configuration. I think there is a preconfigured setup here, like on the console screen, you can see in my GNS three by default on the console line, we have a default privilege of 15 pre configure, which means anyone who is logging onto the console, he will he will get automatically full access. And that’s the reason, no privilege level 15.
And that’s the reason first time when I log into the console here, so it doesn’t prompt for the user mode action. So I just disable this and now if I exit back. So the first mode you will see on the console or on the Vtva line, you generally see the user mode. And if you say show privilege to just confirm what I discussed, the default privilege level is one. So any user, whoever is trying to log in at the user prompt will have a default privilege level of one, unless you have some pre configured privilege level on specific lines. And to go to the next point we use enable command and if there is no passport it will automatically you go here. And when I say show privilege here as well, the print level will be 15 automatically assigned to any user.
So even if you want, you can just create one user account admin, that’s it. And then I’ll go to my console or the VD one line, simply say login local, saying that any user whoever logs in on the console, of course I can also do the same thing on the BTW line. So let me just do this. Or even if you enable also triple authentication. So I’ll go to router two and I’ll try to log into router one on the video line. So I’m trying to log in with the user account and you can see first time I’m into the user mode and the previous level, that’s 15. And if I go and say enable command, of course I cannot use enable because I don’t have enable password. So I’m setting the enable password on the router one and if I say enable and now if I verify the string from the VDM line, the user will get automatic privilege. So this is like default. Any user user account you create will have a default privilege level of 15 if he’s in the privilege mode, and the privilege level of one if he’s in this mode.
Suppose they can create a user account with some privilege, like I want to say admin account should have a privilege level of 15 all the time and the password is in one to three. Now, once you assign the privilege level of 15 or whenever you assign any user with the privilege level of two or more than two, so if you try to log in once again with the same user account, so now you can see the user automatically goes to this mode, privilege mode. And if you, if I specify show privilege, so you can see the user is privileged 15 because I have created a user account with the privilege of 15. So we can actually use customized privilege levels.
We’ll see more on this in the next videos. But these are the like, default settings. The user with the privilege of one episode in the user mode, privilege of 15 EP is in the privilege mode. But again, you can also customize and associate the users with the specific privilege levels. So currently we didn’t create any commands because the privilege level one have a predefined commands. 15 have predefined commands again.
Now, if you want to assign specific commands, we need to understand the different modes. Because let’s say if I have a level one engineer, and I want this user to assign some privileged level commands, like, let’s say privilege level of two, let’s say privilege level of two, then we need to tell and this user should be able to execute some show start command and show running command. Now, you should know this command comes in which mode, so we need to know which command comes in this mode. So if you want to allow this command so you need to know this command comes in this.
Popular posts
Recent Posts