Re: Allow "privilege level 3 user" to configure line aux, but from Piotr Matusiak on 2009-10-11 (Ccielab archives 10/2009)

From: Piotr Matusiak <piotr_at_ccie1.com>
Date: Sun, 11 Oct 2009 12:40:48 +0200

Hi Erwin,

This is a default behavior of privilege command. The IOS thinks of AUX, CON,
VTY etc. as arguments for "line" command, so you cannot be such specified.
The same is true for "interface" command like:

R1(config)#privilege configure level 3 interface fastethernet0/0
R1(config)#do sh run | in privil
privilege configure level 3 interface

If you want to allow user access to certain/specified commands only you
should use command authorization with ACS.
The local privilege assignment is not flexible in any way... same as local
password policy tho.

HTH,

-- 
Piotr Matusiak
CCIE #19860 (R&S, SEC)
2009/10/10 Erwin van Harrewijn <erwin_at_f1x0r.nl>
> Hi Group,
>
> I am reviewing the use of privilege levels.
>
> The task I want to achieve is the following:
> - configure a user having access to level 3 commands
> - allow the user only to configure the line aux 0
> - not allowing the user to configure line con or line vty
>
> I can restrict the user to level 3
> I can restrict the user to only user "config terminal" command
> I can not restrict the user to only configure the aux 0 line
>
> I hoped to solve this issue with the "privilege configure level 3 line
> aux 0" command, but the "aux 0" part is stripped.
>
> Any ideas are greatly appreciated.
> Erwin
>
>
> =======
>
> bastion#sh privilege
> Current privilege level is 3
>
> bastion(config)#?
> Configure commands:
>  beep     Configure BEEP (Blocks Extensible Exchange Protocol)
>  call     Configure Call parameters
>  default  Set a command to its defaults
>  end      Exit from configure mode
>  exit     Exit from configure mode
>  help     Description of the interactive help system
>  line     Configure a terminal line
>  netconf  Configure NETCONF
>  no       Negate a command or set its defaults
>  sasl     Configure SASL
>  wsma     Configure Web Services Management Agents
>
> bastion(config)#line ?
>  <0-6>    First Line number
>  aux      Auxiliary line
>  console  Primary terminal line
>  vty      Virtual terminal
>
> bastion#show run | i priv
> username level3 privilege 3 secret 5 $1$1/r8$0EF0wbTx/BCVcGc4fnEAi1
>
> privilege configure level 3 line
> privilege exec level 3 configure terminal
> privilege exec level 3 configure
>
> ========
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net

Received on Sun Oct 11 2009 - 12:40:48 ART

This archive was generated by hypermail 2.2.0 : Sun Nov 01 2009 - 07:50:59 ART