Security 101

aaa authorization console
aaa authorization exec default none
aaa authorization exec CONSOLE group tacacs+ local
aaa authorization exec VTY group tacacs+ if-authenticated
username ADMIN privilege 7 password 0 CISCO
line con 0
authorization exec CONSOLE
line vty 0 4
privilege level 15 password cisco
authorization exec VTY
login authentication VTY

Authorization is a procedure for granting certain rights to a process, or granting a permission to perform a certain action. The authorization procedure is only possible for authenticated entities. The identity of a subject is used to look up the policy and determine the permissions. This is why authentication always precedes authorization. In some cases, it is possible to grant some rights to unidentified subjects.
The goal of exec authorization is assigning a privilege level (0-15) to a logged in user. You configure an exec authorization list using the command:
aaa authorization exec {default|<NAME>} <Method List>
As with authentication, you can define a default list (which is used system wide) or apply a specific list per terminal line. Generally, there are three methods to obtain authorization information:
1) Consult a remote AAA server and download the user attributes. TACACS+ performs this procedure as a separate operation, but RADIUS has no explicit authorization state, and returns authorization information in authentication replies. Here is an example of using TACACS+ as the source of the required information:
aaa authorization exec default group tacacs+
2) Consult the local username database, looking for the privilege level assigned to the authenticated user:
aaa authorization exec default local
3) Use default settings, for example, the default privilege level assigned to the terminal line, if the authorization configuration permits. This is commonly used when you disable authorization (method “none”) or authorize settings for any authenticated users (method “if-authenticated”). Note the difference between the method “none” and “if-authenticated” from the following example:

Scenario 1:
aaa authentication login default tacacs+ none aaa authorization exec default none ! line console 0
privilege level 15


Scenario 2:
aaa authentication login default tacacs+ none aaa authorization exec default if-authenticated ! line console 0
privilege level 15
In the first case, if the TACACS+ server is not available, the router will allow incoming console connections without authentication. Since there is not exec authorization, the user will be granted the exec shell with privilege 15. In the second case, if the TACACS+ server is not available, the system grants access without authentication but fails authorization of exec shell.
Thus, the difference between “none” and “if-authenticated” authorization cases is that the former always applies the desired authorization parameters without any verification. The latter requires the user to be authenticated, but does not consult the user database to check authorization attributes.
By default, exec authorization is set to “none”, so you may need to change it to accomplish your needs. Also, note that IOS routers by default do not authorize exec sessions on the console line. On the contrary, Catalyst IOS always authorizes the exec shell, even on the console line. Therefore, if you disable console authentication in the Catalyst switch, make sure you never apply a AAA authorization list to the console (explicitly or using the default settings). You may enable console exec authorization in IOS routers using the command aaa authorization console.

___________________

privilege exec level 7 configure terminal
privilege exec level 7 undebug all
privilege exec level 7 show running-config
privilege exec level 7 debug ip rip
privilege configure level 7 interface
privilege interface level 7 shutdown
privilege interface level 7 no shutdown
privilege interface all level 7 ip


IOS allows configuring command authorization by using the local configuration database. Command authorization permits specific commands to groups of users. IOS also supports remote command authorization with the TACACS+ protocol, but this is out of the scope of the CCIE R&S lab exam.
Local command authorization uses the concept of privilege levels. There are sixteen levels supported, 0 to 15. Every next level supports the commands found in all previous levels, e.g. privilege 5 includes levels 0-5, and privilege 15 includes levels 0-15. By default, IOS has three privilege levels pre-configured:
Level 0 - just a few basic commands, such as enable, login, and exit Level 1 - the default exec user level; has some show commands available, but no
configuration commands
Level 15 - the maximum privilege level, also known as privileged mode or enable mode; includes all the commands available in IOS