Hi Adam,
I would concur with you, however, autocommand does not allow a user "to do
only one command". It simply executes the command and then logs out
automatically. It maybe a question of how you interpret that. :)
Just some a few points: Autocommand with telnet works like a charm without
any further effort. With SSH, you need to authorizate the user to perform
what is locally defined (in this case. Other cases would need an ACS or
RADIUS server).
Another valid option is to create a menu and associate it with the user
login. :)
Regards,
Marcelo Pinheiro
On Wed, Dec 1, 2010 at 10:48 PM, Adam Booth <adam.booth_at_gmail.com> wrote:
> I guess if you really wanted to only limit the user to performing a single
> command, you could just use the "autocommand" config option on the user
>
> username limited password 0 limited
> username limited autocommand show ip interface brief
>
> However that doesn't really answer your question about using privilege
> levels - at least in my case, I would use priv levels to move a specific
> high priv command down to a user that you don't trust in having all of
> enable 15 capability given to them.
>
> for example:
>
> username limited password 0 limited
> username limited privilege 2
> privilege exec level 2 ping
>
> Should mean this guy can do extended pings (a regular user not in enable
> mode is priv 1, and in enable mode typically is at priv 15)
>
> Views seem a good thing though for your specific problem case, so perhaps
> implement what Marcelo put in and include an autocommand for the user to
> "enable view SupportLevel1"
>
> Cheers,
> Adam
>
>
>
> On Thu, Dec 2, 2010 at 10:30 AM, Marcelo Pinheiro <
> marcelo_at_academiacisco.com.br> wrote:
>
>> Hi Jack,
>>
>> Role based CLI will do it for you.
>> You need to have AAA enabled.
>> Briefly speaking, you need to:
>> 1 - enable AAA
>> 2 - enter root view mode
>> 3 - create a view - specify which commands
>> 4 - associate a user with a view
>>
>> A sample config:
>> aaa new-model
>> enable view
>> (enter secret password)
>> conf t
>> parser view SupportLevel1
>> secret SupLevel1
>> commands exec include show ip int br
>> exit
>> username test view SupportLevel1 sec test
>>
>> Login with this new user and then
>> Router>enable view SupportLevel1
>> Password:SupLevel1
>> Router#
>>
>> Please check more info on:
>>
>>
>> http://www.cisco.com/en/US/docs/ios/12_3t/12_3t7/feature/guide/gtclivws.html
>>
>>
>> HTH.
>>
>> Marcelo Pinheiro
>> On Wed, Dec 1, 2010 at 9:05 PM, Jack Router <pan.router_at_gmail.com> wrote:
>>
>> > Hello Experts,
>> > I have hard time grasping the concept of privilege levels. For start,
>> can
>> > someone please explain how I can restrict a user to only one command.
>> For
>> > example specific user can ONLY do "sh ip int brief" ?
>> > Thanks
>> >
>> >
>> > Blogs and organic groups at http://www.ccie.net
>> >
>> > _______________________________________________________________________
>> > Subscription information may be found at:
>> > http://www.groupstudy.com/list/CCIELab.html
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
Received on Wed Dec 01 2010 - 23:25:11 ART
This archive was generated by hypermail 2.2.0 : Sat Jan 01 2011 - 09:37:49 ART