Re: Privilege levels from Marcelo Pinheiro on 2010-12-02 (Ccielab archives 12/2010)

From: Marcelo Pinheiro <marcelo_at_academiacisco.com.br>
Date: Thu, 2 Dec 2010 00:13:54 -0300

Hi Jack,

Autocommand does work with AAA. You need to authorize this command.. :)
conf t
aaa authorization exec default local

HTH.

Marcelo Pinheiro

On Thu, Dec 2, 2010 at 12:05 AM, Jack Router <pan.router_at_gmail.com> wrote:

> Thanks guys for you answers. However after some tests it still does not
> work as I would like.
>
> 1. Privilege levels
> Playing with priviledge levels will not limit a user to specific commands.
> I can allow user to execute additional commands above what is already
> allowed by default. For example the command
> # username test privilege 2 password 0 test
> will allow user to do some commands like ping, trace show ip, bot NOT "show
> startup-config"
> I can then add this command with:
> # privilege exec level 2 show startup-config
>
> 2. aaa new model and views
> Users will have to first log into router and they will land into Level 1.
> They will be allowed all Level 1 commands that I would like not to give
> them.
> Users will have to type "enable view SupportLevel1" after logon.
> "Autocommand enable view xyz" would solve the problem but autocommand does
> not work when aaa-new model is applied on the router.
>
> Can you please confirm/correct the above statements ?
>
>
> On 1 December 2010 21:25, Marcelo Pinheiro <marcelo_at_academiacisco.com.br>wrote:
>
>> Hi Adam,
>>
>> I would concur with you, however, autocommand does not allow a user "to do
>> only one command". It simply executes the command and then logs out
>> automatically. It maybe a question of how you interpret that. :)
>> Just some a few points: Autocommand with telnet works like a charm without
>> any further effort. With SSH, you need to authorizate the user to perform
>> what is locally defined (in this case. Other cases would need an ACS or
>> RADIUS server).
>> Another valid option is to create a menu and associate it with the user
>> login. :)
>>
>> Regards,
>>
>> Marcelo Pinheiro
>>
>>
>> On Wed, Dec 1, 2010 at 10:48 PM, Adam Booth <adam.booth_at_gmail.com> wrote:
>>
>>> I guess if you really wanted to only limit the user to performing a
>>> single command, you could just use the "autocommand" config option on the
>>> user
>>>
>>> username limited password 0 limited
>>> username limited autocommand show ip interface brief
>>>
>>> However that doesn't really answer your question about using privilege
>>> levels - at least in my case, I would use priv levels to move a specific
>>> high priv command down to a user that you don't trust in having all of
>>> enable 15 capability given to them.
>>>
>>> for example:
>>>
>>> username limited password 0 limited
>>> username limited privilege 2
>>> privilege exec level 2 ping
>>>
>>> Should mean this guy can do extended pings (a regular user not in enable
>>> mode is priv 1, and in enable mode typically is at priv 15)
>>>
>>> Views seem a good thing though for your specific problem case, so perhaps
>>> implement what Marcelo put in and include an autocommand for the user to
>>> "enable view SupportLevel1"
>>>
>>> Cheers,
>>> Adam
>>>
>>>
>>>
>>> On Thu, Dec 2, 2010 at 10:30 AM, Marcelo Pinheiro <
>>> marcelo_at_academiacisco.com.br> wrote:
>>>
>>>> Hi Jack,
>>>>
>>>> Role based CLI will do it for you.
>>>> You need to have AAA enabled.
>>>> Briefly speaking, you need to:
>>>> 1 - enable AAA
>>>> 2 - enter root view mode
>>>> 3 - create a view - specify which commands
>>>> 4 - associate a user with a view
>>>>
>>>> A sample config:
>>>> aaa new-model
>>>> enable view
>>>> (enter secret password)
>>>> conf t
>>>> parser view SupportLevel1
>>>> secret SupLevel1
>>>> commands exec include show ip int br
>>>> exit
>>>> username test view SupportLevel1 sec test
>>>>
>>>> Login with this new user and then
>>>> Router>enable view SupportLevel1
>>>> Password:SupLevel1
>>>> Router#
>>>>
>>>> Please check more info on:
>>>>
>>>>
>>>> http://www.cisco.com/en/US/docs/ios/12_3t/12_3t7/feature/guide/gtclivws.html
>>>>
>>>>
>>>> HTH.
>>>>
>>>> Marcelo Pinheiro
>>>> On Wed, Dec 1, 2010 at 9:05 PM, Jack Router <pan.router_at_gmail.com>
>>>> wrote:
>>>>
>>>> > Hello Experts,
>>>> > I have hard time grasping the concept of privilege levels. For start,
>>>> can
>>>> > someone please explain how I can restrict a user to only one command.
>>>> For
>>>> > example specific user can ONLY do "sh ip int brief" ?
>>>> > Thanks
>>>> >
>>>> >
>>>> > Blogs and organic groups at http://www.ccie.net
>>>> >
>>>> >
>>>> _______________________________________________________________________
>>>> > Subscription information may be found at:
>>>> > http://www.groupstudy.com/list/CCIELab.html
>>>>
>>>>
>>>> Blogs and organic groups at http://www.ccie.net
>>>>
>>>> _______________________________________________________________________
>>>> Subscription information may be found at:
>>>> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Thu Dec 02 2010 - 00:13:54 ART

This archive was generated by hypermail 2.2.0 : Sat Jan 01 2011 - 09:37:49 ART