Restricted Access to Privilege Mode based on User Role

OcNOS SP : System Management Guide : Authentication Management Configuration : Restricted Access to Privilege Mode based on User Role

Overview

The Remote Authentication server is enhanced to provide access to execute mode or privilege level execute mode based on the network user’s role. The authentication server can be Remote Authentication Dial-In User Service (RADIUS) or the Terminal Access Controller Access Control System (TACACS) server.

This authorization behavior is enhanced to enable privilege level mode based on the user role specified in the RADIUS/TACACS server. A new CLI disable default auto-enable is introduced to implement it. Executing this CLI removes the default access to the privilege execute mode to any user.

Feature Characteristics

Removed the default login behavior of network-admin role and authenticate the user based on difference privilege level defined in the remote authentication

The authentications assumes the following:.

• If no privilege-level is specified in the authentication server, the default user role is “network-user”.

• All the user logged into the privilege exec mode by default.

• Executing the disable default auto-enable CLI decides the execution mode only for “network-user” role based on the privilege level.

• The user role is determined based on privilege level specified in server configuration user file.

Prerequisites

The following is mandatory before issuing the disable default auto-enable CLI:

• Specify the RADIUS/TACACS server to authenticate the remote user login and enable the RADIUS/TACACS authentication.

radius-server login host 1.2.7.4 vrf management seq-num 1 key 7 0x67efdb4ad9

d771c3ed8312b2bc74cedb

aaa authentication login default vrf management group radius

Configuration

Perform the following configurations on host to disable the privilege execute mode based the user role.

1. Configure RADIUS/TACACS server using the configuration provided in RADIUS Authorization Configuration or TACACS Server Authentication section.

2. In the above configuration after enabling the authentication, execute disable default auto-enable CLI to get into network user executive mode based on user role.

(config)#radius-server login host 10.12.97.42 vrf management seq-num 1 key 0 testing123

OcNOS(config)#aaa authentication login default vrf management group radius

OcNOS(config)#disable default auto-enable

Note: By default this command is disabled.

Validation

Without configuring the disable default auto-enable CLI, if you login as remote user, user will be entered into privileged exec-mode.

radius-server login host 10.12.97.42 vrf management seq-num 1 key 7 0x67efdb4ad9

d771c3ed8312b2bc74cedb

root@instance-00000759:/home/ZebOS8NG# ssh ipi1@10.12.159.128

ipi1@10.12.159.128's password:

Linux OcNOS 4.19.91-ga6f5ae56f #1 SMP Sun Feb 11 13:19:33 UTC 2024 x86_64

Last login: Thu Feb 14 11:43:28 2019 from 10.12.43.197

OcNOS version UFI_S9500-30XS-XP-6.5.0 02/28/2024 07:28:24

OcNOS#sh users

Current user : (*). Lock acquired by user : (#).

CLI user : [C]. Netconf users : [N].

Location : Applicable to CLI users.

Session : Applicable to NETCONF users.

Line User Idle Location/Session PID TYPE Role

(#) 0 con 0 [C]root 0d00h01m ttyS0 5093 Local network-admin

(*) 130 vty 0 [C]ipi1 0d00h00m pts/0 5168 Remote network-user

After configuring the disable default auto-enable CLI, if you login as remote user with privilege level 0, user will be entered into exec-mode.

root@instance-00000759:/home/ZebOS8NG# ssh ipi1@10.12.159.128

ipi1@10.12.159.128's password:

Linux OcNOS 4.19.91-ga6f5ae56f #1 SMP Sun Feb 11 13:19:33 UTC 2024 x86_64

Last login: Thu Feb 14 14:02:48 2019 from 10.12.43.197

OcNOS version UFI_S9500-30XS-XP-6.5.0 02/28/2024 07:28:24

OcNOS>en

OcNOS#sh users

Current user : (*). Lock acquired by user : (#).

CLI user : [C]. Netconf users : [N].

Location : Applicable to CLI users.

Session : Applicable to NETCONF users.

Line User Idle Location/Session PID TYPE Role

(#) 0 con 0 [C]root 0d00h00m ttyS0 5093 Local network-admin

(*) 130 vty 0[C]ipi1 0d00h00m pts/0 5207 Remote network-user

After configuring the disable default auto-enable CLI, if you login as remote user with privilege level 1-15, the user will be entered into privileged execution mode.

root@instance-00000759:/home/ZebOS8NG# ssh ipi@10.12.159.128

ipi@10.12.159.128's password:

Linux OcNOS 4.19.91-ga6f5ae56f #1 SMP Sun Feb 11 13:19:33 UTC 2024 x86_64

OcNOS version UFI_S9500-30XS-XP-6.5.0 02/28/2024 07:28:24

OcNOS#sh users

Current user : (*). Lock acquired by user : (#).

CLI user : [C]. Netconf users : [N].

Location : Applicable to CLI users.

Session : Applicable to NETCONF users.

Line User Idle Location/Session PID TYPE Role

(#) 0 con 0 [C]root 0d00h01m ttyS0 5093 Local network-admin

(*) 130 vty 0 [C]ipi 0d00h00m pts/0 5239 Remote network-engineer

New CLI Commands

The RADIUS authentication introduces the following configuration commands.

disable default auto-enable

Use this command to disable auto-enable feature in remote authentication for user role "network-user".

Use no parameter of this command to enable auto-enable feature.

Command Syntax

disable default auto-enable

no disable default auto-enable

Parameters

None

Default

Disable

Command Mode

Configuration Mode

Applicability

This command was introduced in the OcNOS version 6.5.1.

Example

The following CLI disable auto-enable feature for user role "network-user" in remote authentication.

OcNOS(config)#disable default auto-enable

OcNOS(config)#commit

OcNOS(config)#exit

Glossary

Key Terms/Acronym	Description
RADIUS	Remote Authentication Dial-In User Service
TACACS	Terminal Access Controller Access Control System server