Restricted Access to Privilege Mode based on User Role
Overview
The Remote Authentication server is enhanced to provide access to execute mode or privilege level execute mode based on the network user’s role. The authentication server can be Remote Authentication Dial-In User Service (RADIUS) or the Terminal Access Controller Access Control System (TACACS) server.
This authorization behavior is enhanced to enable privilege level mode based on the user role specified in the RADIUS/TACACS server. A new CLI disable default auto-enable is introduced to implement it. Executing this CLI removes the default access to the privilege execute mode to any user.
Feature Characteristics
Removed the default login behavior of network-admin role and authenticate the user based on difference privilege level defined in the remote authentication
The authentications assumes the following:.
• If no privilege-level is specified in the authentication server, the default user role is “network-user”.
• All the user logged into the privilege exec mode by default.
• Executing the disable default auto-enable CLI decides the execution mode only for “network-user” role based on the privilege level.
• The user role is determined based on privilege level specified in server configuration user file.
Prerequisites
The following is mandatory before issuing the disable default auto-enable CLI:
• Specify the RADIUS/TACACS server to authenticate the remote user login and enable the RADIUS/TACACS authentication.
radius-server login host 1.2.7.4 vrf management seq-num 1 key 7 0x67efdb4ad9
d771c3ed8312b2bc74cedb
aaa authentication login default vrf management group radius
Configuration
Perform the following configurations on host to disable the privilege execute mode based the user role.
2. In the above configuration after enabling the authentication, execute disable default auto-enable CLI to get into network user executive mode based on user role.
(config)#radius-server login host 10.12.97.42 vrf management seq-num 1 key 0 testing123
OcNOS(config)#aaa authentication login default vrf management group radius
OcNOS(config)#disable default auto-enable
Note: By default this command is disabled.
Validation
Without configuring the disable default auto-enable CLI, if you login as remote user, user will be entered into privileged exec-mode.
radius-server login host 10.12.97.42 vrf management seq-num 1 key 7 0x67efdb4ad9
d771c3ed8312b2bc74cedb
root@instance-00000759:/home/ZebOS8NG# ssh ipi1@10.12.159.128
ipi1@10.12.159.128's password:
Linux OcNOS 4.19.91-ga6f5ae56f #1 SMP Sun Feb 11 13:19:33 UTC 2024 x86_64
Last login: Thu Feb 14 11:43:28 2019 from 10.12.43.197
OcNOS version UFI_S9500-30XS-XP-6.5.0 02/28/2024 07:28:24
OcNOS#sh users
Current user : (*). Lock acquired by user : (#).
CLI user : [C]. Netconf users : [N].
Location : Applicable to CLI users.
Session : Applicable to NETCONF users.
Line User Idle Location/Session PID TYPE Role
(#) 0 con 0 [C]root 0d00h01m ttyS0 5093 Local network-admin
(*) 130 vty 0 [C]ipi1 0d00h00m pts/0 5168 Remote network-user
After configuring the disable default auto-enable CLI, if you login as remote user with privilege level 0, user will be entered into exec-mode.
root@instance-00000759:/home/ZebOS8NG# ssh ipi1@10.12.159.128
ipi1@10.12.159.128's password:
Linux OcNOS 4.19.91-ga6f5ae56f #1 SMP Sun Feb 11 13:19:33 UTC 2024 x86_64
Last login: Thu Feb 14 14:02:48 2019 from 10.12.43.197
OcNOS version UFI_S9500-30XS-XP-6.5.0 02/28/2024 07:28:24
OcNOS>en
OcNOS#sh users
Current user : (*). Lock acquired by user : (#).
CLI user : [C]. Netconf users : [N].
Location : Applicable to CLI users.
Session : Applicable to NETCONF users.
Line User Idle Location/Session PID TYPE Role
(#) 0 con 0 [C]root 0d00h00m ttyS0 5093 Local network-admin
(*) 130 vty 0[C]ipi1 0d00h00m pts/0 5207 Remote network-user
After configuring the disable default auto-enable CLI, if you login as remote user with privilege level 1-15, the user will be entered into privileged execution mode.
root@instance-00000759:/home/ZebOS8NG# ssh ipi@10.12.159.128
ipi@10.12.159.128's password:
Linux OcNOS 4.19.91-ga6f5ae56f #1 SMP Sun Feb 11 13:19:33 UTC 2024 x86_64
OcNOS version UFI_S9500-30XS-XP-6.5.0 02/28/2024 07:28:24
OcNOS#sh users
Current user : (*). Lock acquired by user : (#).
CLI user : [C]. Netconf users : [N].
Location : Applicable to CLI users.
Session : Applicable to NETCONF users.
Line User Idle Location/Session PID TYPE Role
(#) 0 con 0 [C]root 0d00h01m ttyS0 5093 Local network-admin
(*) 130 vty 0 [C]ipi 0d00h00m pts/0 5239 Remote network-engineer
New CLI Commands
The RADIUS authentication introduces the following configuration commands.
disable default auto-enable
Use this command to disable auto-enable feature in remote authentication for user role "network-user".
Use no parameter of this command to enable auto-enable feature.
Command Syntax
disable default auto-enable
no disable default auto-enable
Parameters
None
Default
Disable
Command Mode
Configuration Mode
Applicability
This command was introduced in the OcNOS version 6.5.1.
Example
The following CLI disable auto-enable feature for user role "network-user" in remote authentication.
OcNOS(config)#disable default auto-enable
OcNOS(config)#commit
OcNOS(config)#exit
Glossary
Key Terms/Acronym | Description |
RADIUS | Remote Authentication Dial-In User Service |
TACACS | Terminal Access Controller Access Control System server |