AAA, just not getting it!

Discussion in 'Network Security' started by sammy_bibs, Aug 7, 2009.

  1. sammy_bibs

    sammy_bibs Bit Poster

    22
    0
    29
    Ok so the CCNA/S seemed the next best choice as CCNP is a bit heavy atm, but the book I am going through is pretty crap with AAA, I will start with what I get & folllow with where it does not make sense;

    Ok so to start off (router with no configs & enable password as cisco)

    aaa new-model
    username XYZ password ABC
    aaa authentication login default local


    So thats basic Authentication on, logging in with the user name & password above;

    Then you can go on to create method list to use on interfaces;

    aaa authen login admin local
    aaa authen login users local


    so now we have two method lists that we could apply to interfaces, so lets say we add the method list users to line vty 0 4

    conf t
    line vty 0 4
    login authentication users


    So at this point you telnet in & the router propts you for the local username & password as defined in the users method list & were in.


    Now Authorisation is the probelm, what I want is for example to have three user's

    -User
    -Helpdesk
    -Admin

    Via the local database they will log in as defined in a method list or default aaa setting, but I just dont get setting up levels of adminstration that they can perform, the commands I have played with is

    aaa authorization commands 15 admin local
    aaa authorization commands 7 helpdesk local
    aaa authorization commands 1 user local

    Which seems to add levels of administration with the method lists not user accounts what I am trying to achive is;

    Setting levels of access allowed to the user accounts (as applying them to the method list makes no sense to me as they are simply links to user databases) and modifying the levels of access (ie adding all show commands to users, all debug, router, interface to helpdesk & everything else to admin's)

    I appriciate this is a bit of a long post, but just wanted you to know where I was at in my line of though.

    Cheers in advance,

    Sam

    Update, been playin with parser view

    enable view
    conf t
    parser view user
    secret user
    commands exec include ping


    This allows me to log in to enabel mode via 'enable view user' which gives me controll I want, but it still does not achive what i wanted with aaa, is there a way to combine the two so that I only have to put in my login credetials once rathen that put them in then user the 'enable view XXX' to get to the exec allowed prompt???
     
    Certifications: CCNA, CCNP, SCSA, MCSA, BSc
    WIP: IINS

Share This Page

Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.