AAA: Attributes for local user database

From Internetworkpro

Jump to: navigation, search
This page or section provides device configuration instructions
Please note that the information on this page has not been checked for accuracy and is not intended as a replacement to documentation. Please ensure you understand your desired objectives before attempting to apply any examples listed.
See more examples at Category:Configuration

Usually, user attributes for AAA, like ip addresses, callback numbers, routes or acl names, are set via external AAA servers during authentication and authorization. In the past, the IOS local database didnt had lots of options to provide such attributes for locally configured users.

IOS 12.3(14)T introduced the concept of AAA attribute lists. You can create such a list, and specify lots of AAA attributes in there. Define an attribute list with 

 aaa attribute list list-name

and type in attribute type ? to get an idea what attributes can be provided.

There are several hooks for attribute lists, like for EZVPN server (crypto aaa attribute list) or PPPoX headends, but you can use attribute lists also to enhance AAA functionality for CLI access. The following simple example shows how to deny CLI access for a user completely by returning an invalid privilege level.

Unfortunately, I couldnt figure out how to revoke permission for the service "shell", it seems that denying services cannot be done with attribute lists. 

aaa authentication login VTY local
aaa authorization exec VTY local 

aaa attribute list denylogin
 attribute type priv-lvl 666 service shell mandatory

username nologin password 0 nologin
username nologin aaa attribute list denylogin

line vty 0 4
 authorization exec VTY
 login authentication VTY
 transport input ssh


$ ssh nologin@192.168.10.254
Password:
% Authorization failed.
Connection to 192.168.10.254 closed.

Jul 22 18:12:14.673 UTC: AAA/BIND(00000023): Bind i/f
Jul 22 18:12:17.464 UTC: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: nologin] [Source: 192.168.10.2] [localport: 22] at 18:12:17 UTC Tue Jul 22 2008
Jul 22 18:12:17.472 UTC: AAA/AUTHOR (0x23): Pick method list 'VTY'
Jul 22 18:12:17.472 UTC: AAA/AUTHOR/EXEC(00000023): processing AV cmd=
Jul 22 18:12:17.472 UTC: AAA/AUTHOR/EXEC(00000023): processing AV priv-lvl=1
Jul 22 18:12:17.472 UTC: AAA/AUTHOR/EXEC(00000023): processing AV priv-lvl=666
Jul 22 18:12:17.472 UTC: AAA/AUTHOR/EXEC(00000023): received invalid privilege level 666. (Should be 0-15)
Jul 22 18:12:17.472 UTC: AAA/AUTHOR/EXEC(00000023): Authorization FAILED
Retrieved from "http://inetpro.org/wiki/AAA:_Attributes_for_local_user_database"
Personal tools