1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

AAA, just not getting it!

Discussion in 'Network Security' started by sammy_bibs, Aug 7, 2009.

  1. sammy_bibs

    sammy_bibs Bit Poster

    Ok so the CCNA/S seemed the next best choice as CCNP is a bit heavy atm, but the book I am going through is pretty crap with AAA, I will start with what I get & folllow with where it does not make sense;

    Ok so to start off (router with no configs & enable password as cisco)

    aaa new-model
    username XYZ password ABC
    aaa authentication login default local

    So thats basic Authentication on, logging in with the user name & password above;

    Then you can go on to create method list to use on interfaces;

    aaa authen login admin local
    aaa authen login users local

    so now we have two method lists that we could apply to interfaces, so lets say we add the method list users to line vty 0 4

    conf t
    line vty 0 4
    login authentication users

    So at this point you telnet in & the router propts you for the local username & password as defined in the users method list & were in.

    Now Authorisation is the probelm, what I want is for example to have three user's


    Via the local database they will log in as defined in a method list or default aaa setting, but I just dont get setting up levels of adminstration that they can perform, the commands I have played with is

    aaa authorization commands 15 admin local
    aaa authorization commands 7 helpdesk local
    aaa authorization commands 1 user local

    Which seems to add levels of administration with the method lists not user accounts what I am trying to achive is;

    Setting levels of access allowed to the user accounts (as applying them to the method list makes no sense to me as they are simply links to user databases) and modifying the levels of access (ie adding all show commands to users, all debug, router, interface to helpdesk & everything else to admin's)

    I appriciate this is a bit of a long post, but just wanted you to know where I was at in my line of though.

    Cheers in advance,


    Update, been playin with parser view

    enable view
    conf t
    parser view user
    secret user
    commands exec include ping

    This allows me to log in to enabel mode via 'enable view user' which gives me controll I want, but it still does not achive what i wanted with aaa, is there a way to combine the two so that I only have to put in my login credetials once rathen that put them in then user the 'enable view XXX' to get to the exec allowed prompt???
    Certifications: CCNA, CCNP, SCSA, MCSA, BSc

Share This Page