Section 11 – IP Services – 4 Points
11.1 Local Authorization
Set r2’s default privilege level to 0 for telnet users. Allow them to also ping and traceroute. If they need level 1 access, then have them authenticate with the password CISCO prior to being given access.
This is easy except for that last bit. I couldn’t get my head around it. Turns out that this was easy as well, you just need to set the privilege level for the enable password:
r2(config)#enable secret level 1CISCO
r2#sh privilege
Current privilege level is 15
r2#disable 0
r4>?
Exec commands:
<1-99> Session number to resume
disable Turn off privileged commands
enable Turn on privileged commands
exit Exit from the EXEC
help Description of the interactive help system
logout Exit from the EXEC
ping Send echo messages
traceroute Trace route to destination
Normal commands available at privilege level 0:
r4#disa 0
r4>?
Exec commands:
call Voice call
disable Turn off privileged commands
enable Turn on privileged commands
exit Exit from the EXEC
help Description of the interactive help system
logout Exit from the EXEC
r4>
I could not get the “CISCO” password to work.
r2#sh run | i enabl
enable secret level 1 5 $1$2rnn$RVQJmvNqbzBPxtZhsm7Ga0
enable password cisco
I tried to use a ‘non-secret’ method, but the IOS cried “foul”:
r2(config)#enable pass level 1 CISCO
% Converting to a secret. Please use “enable secret” in the future.
r2(config)#do sh run | i enable
enable secret level 1 5 $1$smcE$u7rQfwYvoPYAtd7.d38qO/
enable password cisco
Hmmmm….I telnetted in and found that I needed to specify level 1 and it worked:
r2>enable 1
Password: CISCO
r2>sh privi
Current privilege level is 1
r2>?
Exec commands:
<1-99> Session number to resume
access-enable Create a temporary Access-List entry
access-profile Apply user-profile to interface
clear Reset functions
connect Open a terminal connection
crypto Encryption related commands.
disable Turn off privileged commands
disconnect Disconnect an existing network connection
dot11 IEEE 802.11 commands
enable Turn on privileged commands
exit Exit from the EXEC
help Description of the interactive help system
lat Open a lat connection
lock Lock the terminal
login Log in as a particular user
—output truncated—-
11.2 Local Authorization
Set up NOC users to telnet to r5 at privilege level 1, but allow them to be able to “turn on and disable RIP debugging”.
IE just set up level 1 with the ability to debug ip rip and then stop all debugs:
privilege exec level 1 debug ip rip
privilege exec level 1 undebug all
r5#ena 1
r5>debug ip ?
rip RIP protocol transactions
What’s odd is that the IOS added a few more privileges (including the dread “debug all”
r5(config)#do sh run | i privilege exec
privilege exec level 1 undebug ip rip
privilege exec level 1 undebug ip
privilege exec level 1 undebug all
privilege exec level 1 undebug
privilege exec level 1 debug ip rip
privilege exec level 1 debug ip
privilege exec level 1 debug all <-yikes
privilege exec level 1 debug
r5>debug all
This may severely impact network performance. Continue? (yes/[no]):
I guess that we are to assume that only the NOC will be telnetting to the device:
r2#telnet 150.1.5.5
Trying 150.1.5.5 … Open
User Access Verification
Password:
r5>sh privi
Current privilege level is 1
privilege level access has this problem.
Since 12.4 (I guess), cisco has introduced a new method that gives way more control to the administrator on what and what not to allow for different levels.
In privilege levsls once you allow for example show ip int biref, all show ip — commands are enable.
Role based Cli can include a particular command, include all command starting with a phrase, exclude a partcular command, and even import a level into a another level, allowig hierarchial configuration ( Level are called views here)
you should check that feature. Its actually very cool.:)
Comment by Barooq — August 2, 2008 @ 1:11 pm |