Subject: RE: execute a command after user login Hi Ryan, You can use AAA as well to set the terminal escape-character. aaa new-model aaa authentication login vty local aaa authorization exec vty local ! username c privilege 15 password 7 c username c autocommand terminal escape Z ! interface Loopback0 ip address 1.1.1.1 255.255.255.255 ! line vty 0 4 authorization exec vty login authentication vty autocommand-options nohangup With AAA you will need authorization as well otherwise the autocommand will not be processed. See the output below. BB3(config)#do deb aaa author AAA Authorization debugging is on BB3(config) BB3(config)#do telnet 1.1.1.1 Trying 1.1.1.1 ... Open User Access Verification Username: c Password: "Z" is the escape character BB3# Aug 20 12:41:56.579: AAA/BIND(0000001D): Bind i/f Aug 20 12:41:57.959: AAA/AUTHOR (0x1D): Pick method list 'vty' Aug 20 12:41:57.959: AAA/AUTHOR/EXEC(0000001D): processing AV cmd= Aug 20 12:41:57.959: AAA/AUTHOR/EXEC(0000001D): processing AV autocmd=terminal escape Z Aug 20 12:41:57.959: AAA/AUTHOR/EXEC(0000001D): processing AV priv-lvl=15 Aug 20 12:41:57.959: AAA/AUTHOR/EXEC(0000001D): Authorization successful exit [Connection to 1.1.1.1 closed by foreign host] BB3(config)#no aaa author BB3(config)#no aaa authorization exec vty local BB3(config)# BB3(config)#do telnet 1.1.1.1 Trying 1.1.1.1 ... Open User Access Verification Username: c Password: Aug 20 12:42:21.815: AAA/BIND(0000001E): Bind i/f BB3> Aug 20 12:42:23.287: AAA/AUTHOR (0000001E): Method list id=53000007 not configured. Skip author BB3> BB3> --- ---------- Forwarded message ---------- From: kevin gannon To: mikenoc@mindspring.com Date: Sat, 8 Oct 2005 11:36:33 +0100 Subject: Re: Priviliedge Level on routers Mike Did some testing and if you dont use a local username/password but just have line vty 0 4 login priv 15 This works fine however with local username it doesnt work like that. So below is my solution using AAA without a TACACS/RADIUS server: aaa authentication login default local aaa authorization exec default none aaa session-id common ip subnet-zero ! line vty 0 4 privilege level 15 It works fine for me. Your mileage might vary depending on what else you need AAA to do for you. ---- Thanks! That was the ticket! It working as expected...the interesting thing about this is, that the "console" command is a hidden command on my load, not viewable with the ?. This leaves me to wonder why there wouldn't be a similar config for the vty, as it appears to work without this modification. Interesting! Dave Schulz, Email: dschulz@dpsciences.com -----Original Message----- From: Kulcsar Andras Benjamin [mailto:Kulcsar.Andras@lnx.hu] Sent: Wednesday, October 12, 2005 9:17 AM To: Schulz, Dave; ccielab@groupstudy.com Subject: RE: AAA vs. Non-AAA privileges Hi Dave, Try the "aaa authorization console" command. Regards, Andras Kulcsar -----Original Message----- From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of Schulz, Dave Sent: Wednesday, October 12, 2005 3:10 PM To: Gustavo Novais; ccielab@groupstudy.com Subject: RE: AAA vs. Non-AAA privileges Thanks, Gustavo. I appreciate the suggestions. I tried it and this fixes the issues on vty ports, but the console still allows access to level 15 with a level 7 password. Here is the new config: hostname R2 ! aaa new-model aaa authentication login con local aaa authorization exec con local ! username level15 privilege 15 password 0 level15 username level7 privilege 7 password 0 level7 ! interface Serial0 ip address 192.168.1.2 255.255.255.0 ! privilege exec level 7 show ! line con 0 authorization exec con login authentication con line aux 0 line vty 0 4 authorization exec con login authentication con ! end --- ---------- Forwarded message ---------- From: "Tim" To: "'Ed Lui'" , , "'Peter McCreesh'" Date: Wed, 18 Jan 2006 13:24:33 -0500 Subject: RE: How to disable the "Last configuration change at xxx " in configuration? While reading the Cisco Cookbook, I became interested in the same topic. Unfortunately, the example doesn't directly answer the original question, however, this does provide an example of how to see when and who made the last changes. 3.1.1 Problem You want to assign individual (or group) user IDs and passwords to network staff. 3.1.2 Solution Use the following set of configuration commands to enable locally administered user IDs: Router1#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router1(config)#username ijbrown password oreilly Router1(config)#username kdooley password cookbook Router1(config)#aaa new-model Router1(config)#aaa authentication login default local Router1(config)#end Router1# The username command also allows you to create usernames without passwords by specifying the nopassword keyword: Router1#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router1(config)#username weak nopassword Router1(config)#aaa new-model Router1(config)#aaa authentication login default local Router1(config)#end Router1# However, we strongly recommend against doing this because it can severely weaken the router's security. 3.1.3 Discussion Enabling locally administered usernames overrides the default VTY password-based authentication system. When you enable the aaa new-model command, as shown in this recipe, the router immediately begins to prompt for usernames and passwords. Assigning unique usernames to individuals or groups provides accountability, as we will show later. The following example shows the login prompt for a router using local authentication: Freebsd%telnet Router1 Trying 172.25.1.5... Connected to Router1. Escape character is '^]'. User Access Verification Username: ijbrown Password: Router1> The router prompts for the username as well as the password. Compare this to how the router behaves by default: Freebsd%telnet Router2 Trying 172.25.1.6... Connected to Router2. Escape character is '^]'. User Access Verification Password: Router2> Locally administered usernames work well in a small environment with a limited number of administrators. However, this method does not scale well to a large network with many administrators. Keeping usernames synchronized across an entire network can become quite daunting. Fortunately, Cisco also supports a centralized authentication system, which we discuss in Chapter 4. When you configure locally administered usernames, the router prompts for usernames on all lines, including the console and AUX ports, as well as the VTY ports used for Telnet sessions. To avoid locking yourself out of the router, you should always configure a username command before entering the AAA commands. It is also a good idea to use another session terminal to test the new authentication system before logging out of your original session. If you do accidentally lock yourself out of the router, you will need to follow the normal password-recovery procedures for your router type. Enabling username support causes the router to associate certain functions with usernames. This provides accountability for each username by showing exactly who is doing what. For instance, the output of the show users command includes active usernames: Router1>show users Line User Host(s) Idle Location 66 vty 0 ijbrown idle 00:36:21 freebsd.oreilly.com 67 vty 1 kdooley idle 00:00:24 server1.oreilly.com * 68 vty 2 weak idle 00:00:00 freebsd.oreilly.com Interface User Mode Idle Peer Address Router1> More importantly, log messages will capture the username of the individual who invoked certain high-profile commands such as configuration changes, the clearing of counters, and reloads. For example: Jun 27 12:58:26: %SYS-5-CONFIG_I: Configured from console by ijbrown on vty2 (172.25.1.1) Jun 27 13:02:22: %CLEAR-5-COUNTERS: Clear counter on all interfaces by weak on vty2 (172.25.1.1) Jun 27 14:00:14: %SYS-5-RELOAD: Reload requested by kdooley on vty0 (172.25.1.1). Note that these log messages now include the username associated with each action. So, instead of just knowing that somebody changed the configuration or reloaded the router, you can see exactly who did it. In addition, the router captures the username of the last person to modify its configuration or save the configuration to NVRAM. To see this information, use the show running-config command: Router1#show running-config Building configuration... Current configuration : 4285 bytes ! ! Last configuration change at 12:58:26 EDT Fri Jun 27 2003 by ijbrown ! NVRAM config last updated at 13:01:45 EDT Fri Jun 27 2003 by kdooley ! version 12.2 The username command also has an autocommand keyword, which you can use to assign an EXEC-level command to a particular username. This is useful when you want to provide limited access to a particular command while restricting access to everything else on the router. For example, you might want to set up a special username that anybody could use to run a single router command and then terminate the session: Router1#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router1(config)#aaa new-model Router1(config)#aaa authentication login default local Router1(config)#aaa authorization exec default local Router1(config)#username run nopassword noescape Router1(config)#username run autocommand show ip interface brief Router1(config)#end Router1# In this example, we defined the username run without a password and assigned it an autocommand of show ip interface brief. When you log in to the router with this username, the router will not prompt for a password. It just automatically executes the command and then terminates the session: Freebsd% telnet Router1 Trying 172.22.1.4... Connected to Router1. Escape character is '^]'. User Access Verification Username: run Interface IP-Address OK? Method Status Protocol BRI0/0 unassigned YES NVRAM administratively down down Ethernet0/0 172.25.1.8 YES NVRAM administratively down down BRI0/0:1 unassigned YES unset administratively down down BRI0/0:2 unassigned YES unset administratively down down FastEthernet1/0 172.22.1.4 YES NVRAM up up Loopback0 192.168.20.1 YES NVRAM up up Connection closed by foreign host. Freebsd% Note that the router issued the command and then terminated the session without providing an opportunity to issue another command. The noescape keyword prevents the user from issuing an escape sequence to access the router EXEC. We strongly recommend using this keyword whenever you use autocommands. ---