From: Jonathan V Hays (jhays@jtan.com)
Date: Sat Aug 02 2003 - 15:54:41 GMT-3
Your English is fine. My response was general and did not meet your
exact requirements - sorry.
As you know, commands are well defined for privilege levels 0, 1, and
15. But defining your own commands on other levels is difficult since
Cisco gives very little documentation on doing this. My method has been
to just try a lot of things and see what works - the "hit and miss"
method. I've never been able to get "show run" to work properly except
in level 15.
Sorry I can't help any further. You may have to resort to AAA.
Jonathan
-----Original Message-----
From: jfaure@sztele.com [mailto:jfaure@sztele.com]
Sent: Saturday, August 02, 2003 1:32 PM
To: Jonathan V Hays
Cc: ccielab@groupstudy.com
Subject: RE: Privilege level commands
Hi Jonathan:
Sorry for my bad English. It seems it's difficult to me to properly
communicate what i want to do. It isn't the case of the example you sent
before.
I'd like to have a user that can:
-See details about all the system, and ALSO DO A SH RUN
-The only thing he CAN'T do is to configure the system
Regards
Juan Faure Ferrer
email: jfaure@sztele.com
Lmnea de Negocio de Telematica y CC
Ingeniero de Integracisn de Redes y Sistemas
------------------------------------------------------------------------
----SOLUZIONA TELECOMUNICACIONES Servicios Profesionales de UNION FENOSA Jerez, 3 28016 MADRID tel 91 579 30 00 fax 91 350 72 83 ------------------------------------------------------------------------ ---
"Jonathan V
Hays" Para: <jfaure@sztele.com>
<jhays@jtan.co cc: <ccielab@groupstudy.com> m> Asunto: RE: Privilege level commands
02/08/03 19:23
-----Original Message----- From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of jfaure@sztele.com Sent: Saturday, August 02, 2003 12:53 PM To: Jonathan V Hays Cc: ccielab@groupstudy.com; nobody@groupstudy.com Subject: RE: Privilege level commands
Yes, i have read this before, but there isn't a priviledge "mode" that specifically applies to "displaying the running config". There are different modes for interface, configure, exec, line, etc.
I don't see how you can achieve this. I don't totally understand how a privilege n: x can be "remade" over specific commands. Must i define my own level 15 "command to command" without including the "show run". In deed there is not enough granurality to do so or i don't see how to do it.
Regards
Juan Faure Ferrer --------------
See example below. Is this what you are looking for? The example below assigns vty lines 0, 1, and 2 to privilege level 2. Two vty lines are reserved for senior administrators who can telnet to rotary line 1. See below for example and demonstration.
Jonathan ----- R1: enable secret cisco enable secret level 2 showonly ! username junioradmin privilege 2 password 0 showonly username senioradmin password 0 topsecret ! privilege exec level 2 show ! line vty 0 2 login local line vty 3 4 login local rotary 1
R2: r2#telnet r1 Trying r1 (150.1.1.1)... Open
User Access Verification
Username: junioradmin Password: r1#show privilege Current privilege level is 2 r1#show ip int brief Interface IP-Address OK? Method Status Protocol Ethernet0 150.1.10.1 YES NVRAM up up Loopback0 150.1.1.1 YES NVRAM up up Loopback1 195.1.1.1 YES NVRAM up up Loopback10 220.1.0.1 YES NVRAM up up Loopback11 220.1.1.1 YES NVRAM up up Loopback12 220.1.2.1 YES NVRAM up up Loopback13 220.1.3.1 YES NVRAM up up Serial0 150.1.14.1 YES NVRAM up up Serial1 150.1.12.1 YES NVRAM up up r1#sh run ^ % Invalid input detected at '^' marker.
r1#exit
[Connection to r1 closed by foreign host] r2#telnet r1 3001 Trying r1 (150.1.1.1, 3001)... Open
User Access Verification
Username: senioradmin Password: r1>en Password: r1#show privilege Current privilege level is 15 r1#sh users Line User Host(s) Idle Location 0 con 0 idle 00:07:59 * 5 vty 3 senioradmi idle 00:00:00 150.1.12.2
Interface User Mode Idle Peer Address
r1# r1#disable r1>enable 2 Password: r1#show privilege Current privilege level is 2 r1#
This archive was generated by hypermail 2.1.4 : Tue Sep 02 2003 - 18:53:52 GMT-3