Authorization comes into play after authentication. Authorization allows administrators to control the level of access users have after they successfully gain access to the router. Cisco IOS allows certain access levels (called privilege levels) that control which IOS commands the user can issue. For example, a user with a privilege level of 0 cannot issue any IOS commands. A user with a privilege level of 15 can perform all valid IOS commands. The local database or remote security server can grant the required privilege levels.

Remote security servers, such as RADIUS and TACACS+, authorize users for specific rights by associating attribute-value (AV) pairs, which define those rights with the appropriate user. AAA authorization assembles a set of attributes that describes what the user is authorized to perform.

These attributes are compared with the information contained in a database for a given user, and the result is returned to AAA to determine the user's actual permissions and restrictions.

You can display the user's privilege level on a Cisco router with the show privilege command. Example 5-2 displays the privilege level when the enable password has already been entered.

Example 5-2 show privilege Command

R1#show privilege

Current privilege level is 15

The higher the privilege, the more capabilities a user has with the IOS command set.

0 0

Post a comment