Cisco Routers And AAA( part 2-Authorization)
CCNA Security Certification And CCNP SWITCH Tutorial:
The "Authorization" In AAA
Chris Bryant, CCIE #12933
In the first installment of this CCNA Security AAA tutorial, we took a look at the first "A" - Authentication - and defined exactly what role that "A" plays in network security.
Today's "A" is for Authorization - - and the natural question is "Aren't Authentication and Authorization the same thing?"
Today's "A" is for Authorization - - and the natural question is "Aren't Authentication and Authorization the same thing?"
Not
quite! Authentication decides whether a given user should be
allowed into the network; Authorization dictates what users can do once they are in.
The aaa authorization command creates a user profile that is checked when a user attempts to use a particular command or service.
As
with Authentication, we'll have the option of creating a default list
or a named list, and naturally AAA must be globally enabled with the aaa new-model command before you begin your Authorization configuration.
R1(config)#aaa new-model
R1(config)#aaa authorization ?
auth-proxy For Authentication Proxy Services
commands For exec (shell) commands.
config-commands For configuration mode commands.
configuration For downloading configurations from AAA server
exec For starting an exec (shell).
network For network services. (PPP, SLIP, ARAP)
reverse-access For reverse access connections
R1(config)#aaa authorization exec ?
WORD Named authorization list.
default The default authorization list.
WORD Named authorization list.
default The default authorization list.
R1(config)#aaa authorization exec default ?
group Use Server-group
if-authenticated Succeed if user has authenticated.
local Use local database.
none No authorization (always succeeds).
group Use Server-group
if-authenticated Succeed if user has authenticated.
local Use local database.
none No authorization (always succeeds).
Now we're going to revisit an old CCNA friend... privilege levels.
Privilege Levels And AAA Authorization
Privilege
levels define what commands a user can actually run on a router.
There are three predefined privilege levels on Cisco routers, two of
which you've been using since you started your Cisco studies - even if
you didn't know it!
When you're in user exec mode, you're actually in privilege level 1, as verified with show privilege :
R2>show privilege
Current privilege level is 1
Current privilege level is 1
By moving to privileged exec mode with the enable command, you move from level 1 to level 15, the highest level:
R2>show privilege
Current privilege level is 1
R2>enable
R2#show privilege
Current privilege level is 15
Current privilege level is 1
R2>enable
R2#show privilege
Current privilege level is 15
There's actually a third predefined privilege level, Level Zero, which allows the user to run the commands exit, logout, disable, enable , and logout. Obviously, a user at Level Zero can't do much.
There's
a huge gap in network access between levels 1 and 15, and the
remaining levels 2-14 can be configured to fill that gap.
Levels 2 - 14 can be configured to allow a user assigned a particular privilege level to run some commands, but not all of them.
Assume you have a user who should not be allowed to use the ping command, which by default can be run from privilege level 1:
R2>ping 172.1.1.1 (Success of the ping has been edited)
By moving the ping
command to privilege level 5, a user must have at least that level of
privilege in order to use ping. To change the privilege level of a
command, use the privilege command. (IOS Help shows approximately 30 options following privilege, so I won't put all of those here.)
R2(config)#privilege ?
address-family Address Family configuration mode
configure Global configuration mode
congestion Frame Relay congestion configuration mode
dhcp DHCP pool configuration mode
exec Exec mode
address-family Address Family configuration mode
configure Global configuration mode
congestion Frame Relay congestion configuration mode
dhcp DHCP pool configuration mode
exec Exec mode
R2(config)#privilege exec ?
level Set privilege level of command
reset Reset privilege level of command
level Set privilege level of command
reset Reset privilege level of command
R2(config)#privilege exec level ?
<0-15> Privilege level
<0-15> Privilege level
R2(config)#privilege exec level 5 ?
LINE Initial keywords of the command to modify
LINE Initial keywords of the command to modify
R2(config)#privilege exec level 5 ping
A user must now have at least a privilege level of 5 to send a ping. Let's test that from both level 1 and 15.
First, from level 1:
R2>ping 172.1.1.1
^
% Invalid input detected at '^' marker.
^
% Invalid input detected at '^' marker.
And now from level 15:
R2#ping 172.1.1.1 (Success of ping edited)
Note
the user at Level 1 is not told they're being denied access to this
command because of privilege level. The ping works successfully from
Level 15.
There are two options
for assigning privilege levels to users, one involving AAA and one
not. To enable AAA Authorization to use privilege levels, use the aaa authorization command followed by the appropriate option:
R2(config)#aaa authorization ?
auth-proxy For Authentication Proxy Services
commands For exec (shell) commands.
config-commands For configuration mode commands.
configuration For downloading configurations from AAA server
exec For starting an exec (shell).
network For network services. (PPP, SLIP, ARAP)
reverse-access For reverse access connections
auth-proxy For Authentication Proxy Services
commands For exec (shell) commands.
config-commands For configuration mode commands.
configuration For downloading configurations from AAA server
exec For starting an exec (shell).
network For network services. (PPP, SLIP, ARAP)
reverse-access For reverse access connections
The full command to use the TACACS+ server to assign privilege levels, followed by the local database, is as follows:
R2(config)#aaa authorization commands 5 default group tacacs+ local
Getting
authorization to work exactly the way you want it to does take quite a
bit of planning and testing due to the many options. Don't become
(too) frustrated if you don't get the desired results the first time
around - this usually takes a bit of fine-tuning.
Privilege levels can also be assigned via the router's local database. To do so, use the privilege option in the middle of the username/password command.
R2(config)#username chris privilege 5 password bryant
That
would assign a privilege level of 5 to that particular user,and they
could use all commands that have a privilege level of 5 or lower...not just the commands with a privilege level of exactly 5.
The
Authorization feature of AAA can also assign IP addresses and other
network parameters to Mobile IP users. How this occurs is beyond the
scope of the CCNA Security or ISCW exam, but you can refer to RFC 2905
for more details. Perhaps more details than you'd like to know!
Two "A"s down, one to go! We'll take on the third "A" in the next CCNA Security / CCNP ISCW tutorial.
Thanks for making The Bryant Advantage part of your CCNA Security and CCNP studies!
Chris Bryant
CCIE #12933
"The Computer Certification Bulldog"
Không có nhận xét nào:
Đăng nhận xét