Hi Piotr,
Thanks for your explanation. It makes completely sense when you
compare it to the behaviour of interfaces.
Thanks,
Erwin
On Sun, Oct 11, 2009 at 12:40 PM, Piotr Matusiak <piotr_at_ccie1.com> wrote:
> Hi Erwin,
>
> This is a default behavior of privilege command. The IOS thinks of AUX, CON,
> VTY etc. as arguments for "line" command, so you cannot be such specified.
> The same is true for "interface" command like:
>
> R1(config)#privilege configure level 3 interface fastethernet0/0
> R1(config)#do sh run | in privil
> privilege configure level 3 interface
>
>
> If you want to allow user access to certain/specified commands only you
> should use command authorization with ACS.
> The local privilege assignment is not flexible in any way... same as local
> password policy tho.
>
>
> HTH,
>
> --
> Piotr Matusiak
> CCIE #19860 (R&S, SEC)
>
>
>
> 2009/10/10 Erwin van Harrewijn <erwin_at_f1x0r.nl>
>>
>> Hi Group,
>>
>> I am reviewing the use of privilege levels.
>>
>> The task I want to achieve is the following:
>> - configure a user having access to level 3 commands
>> - allow the user only to configure the line aux 0
>> - not allowing the user to configure line con or line vty
>>
>> I can restrict the user to level 3
>> I can restrict the user to only user "config terminal" command
>> I can not restrict the user to only configure the aux 0 line
>>
>> I hoped to solve this issue with the "privilege configure level 3 line
>> aux 0" command, but the "aux 0" part is stripped.
>>
>> Any ideas are greatly appreciated.
>> Erwin
>>
>>
>> =======
>>
>> bastion#sh privilege
>> Current privilege level is 3
>>
>> bastion(config)#?
>> Configure commands:
>> beep Configure BEEP (Blocks Extensible Exchange Protocol)
>> call Configure Call parameters
>> default Set a command to its defaults
>> end Exit from configure mode
>> exit Exit from configure mode
>> help Description of the interactive help system
>> line Configure a terminal line
>> netconf Configure NETCONF
>> no Negate a command or set its defaults
>> sasl Configure SASL
>> wsma Configure Web Services Management Agents
>>
>> bastion(config)#line ?
>> <0-6> First Line number
>> aux Auxiliary line
>> console Primary terminal line
>> vty Virtual terminal
>>
>> bastion#show run | i priv
>> username level3 privilege 3 secret 5 $1$1/r8$0EF0wbTx/BCVcGc4fnEAi1
>>
>> privilege configure level 3 line
>> privilege exec level 3 configure terminal
>> privilege exec level 3 configure
>>
>> ========
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
Received on Sun Oct 11 2009 - 20:05:25 ART
This archive was generated by hypermail 2.2.0 : Sun Nov 01 2009 - 07:50:59 ART