I guess if you really wanted to only limit the user to performing a single
command, you could just use the "autocommand" config option on the user
username limited password 0 limited
username limited autocommand show ip interface brief
However that doesn't really answer your question about using privilege
levels - at least in my case, I would use priv levels to move a specific
high priv command down to a user that you don't trust in having all of
enable 15 capability given to them.
for example:
username limited password 0 limited
username limited privilege 2
privilege exec level 2 ping
Should mean this guy can do extended pings (a regular user not in enable
mode is priv 1, and in enable mode typically is at priv 15)
Views seem a good thing though for your specific problem case, so perhaps
implement what Marcelo put in and include an autocommand for the user to
"enable view SupportLevel1"
Cheers,
Adam
On Thu, Dec 2, 2010 at 10:30 AM, Marcelo Pinheiro <
marcelo_at_academiacisco.com.br> wrote:
> Hi Jack,
>
> Role based CLI will do it for you.
> You need to have AAA enabled.
> Briefly speaking, you need to:
> 1 - enable AAA
> 2 - enter root view mode
> 3 - create a view - specify which commands
> 4 - associate a user with a view
>
> A sample config:
> aaa new-model
> enable view
> (enter secret password)
> conf t
> parser view SupportLevel1
> secret SupLevel1
> commands exec include show ip int br
> exit
> username test view SupportLevel1 sec test
>
> Login with this new user and then
> Router>enable view SupportLevel1
> Password:SupLevel1
> Router#
>
> Please check more info on:
>
>
> http://www.cisco.com/en/US/docs/ios/12_3t/12_3t7/feature/guide/gtclivws.html
>
>
> HTH.
>
> Marcelo Pinheiro
> On Wed, Dec 1, 2010 at 9:05 PM, Jack Router <pan.router_at_gmail.com> wrote:
>
> > Hello Experts,
> > I have hard time grasping the concept of privilege levels. For start, can
> > someone please explain how I can restrict a user to only one command. For
> > example specific user can ONLY do "sh ip int brief" ?
> > Thanks
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
Received on Thu Dec 02 2010 - 11:48:34 ART
This archive was generated by hypermail 2.2.0 : Sat Jan 01 2011 - 09:37:49 ART