Thanks guys for you answers. However after some tests it still does not work
as I would like.
1. Privilege levels
Playing with priviledge levels will not limit a user to specific commands. I
can allow user to execute additional commands above what is already allowed
by default. For example the command
# username test privilege 2 password 0 test
will allow user to do some commands like ping, trace show ip, bot NOT "show
startup-config"
I can then add this command with:
# privilege exec level 2 show startup-config
2. aaa new model and views
Users will have to first log into router and they will land into Level 1.
They will be allowed all Level 1 commands that I would like not to give
them.
Users will have to type "enable view SupportLevel1" after logon.
"Autocommand enable view xyz" would solve the problem but autocommand does
not work when aaa-new model is applied on the router.
Can you please confirm/correct the above statements ?
On 1 December 2010 21:25, Marcelo Pinheiro <marcelo_at_academiacisco.com.br>wrote:
> Hi Adam,
>
> I would concur with you, however, autocommand does not allow a user "to do
> only one command". It simply executes the command and then logs out
> automatically. It maybe a question of how you interpret that. :)
> Just some a few points: Autocommand with telnet works like a charm without
> any further effort. With SSH, you need to authorizate the user to perform
> what is locally defined (in this case. Other cases would need an ACS or
> RADIUS server).
> Another valid option is to create a menu and associate it with the user
> login. :)
>
> Regards,
>
> Marcelo Pinheiro
>
>
> On Wed, Dec 1, 2010 at 10:48 PM, Adam Booth <adam.booth_at_gmail.com> wrote:
>
>> I guess if you really wanted to only limit the user to performing a single
>> command, you could just use the "autocommand" config option on the user
>>
>> username limited password 0 limited
>> username limited autocommand show ip interface brief
>>
>> However that doesn't really answer your question about using privilege
>> levels - at least in my case, I would use priv levels to move a specific
>> high priv command down to a user that you don't trust in having all of
>> enable 15 capability given to them.
>>
>> for example:
>>
>> username limited password 0 limited
>> username limited privilege 2
>> privilege exec level 2 ping
>>
>> Should mean this guy can do extended pings (a regular user not in enable
>> mode is priv 1, and in enable mode typically is at priv 15)
>>
>> Views seem a good thing though for your specific problem case, so perhaps
>> implement what Marcelo put in and include an autocommand for the user to
>> "enable view SupportLevel1"
>>
>> Cheers,
>> Adam
>>
>>
>>
>> On Thu, Dec 2, 2010 at 10:30 AM, Marcelo Pinheiro <
>> marcelo_at_academiacisco.com.br> wrote:
>>
>>> Hi Jack,
>>>
>>> Role based CLI will do it for you.
>>> You need to have AAA enabled.
>>> Briefly speaking, you need to:
>>> 1 - enable AAA
>>> 2 - enter root view mode
>>> 3 - create a view - specify which commands
>>> 4 - associate a user with a view
>>>
>>> A sample config:
>>> aaa new-model
>>> enable view
>>> (enter secret password)
>>> conf t
>>> parser view SupportLevel1
>>> secret SupLevel1
>>> commands exec include show ip int br
>>> exit
>>> username test view SupportLevel1 sec test
>>>
>>> Login with this new user and then
>>> Router>enable view SupportLevel1
>>> Password:SupLevel1
>>> Router#
>>>
>>> Please check more info on:
>>>
>>>
>>> http://www.cisco.com/en/US/docs/ios/12_3t/12_3t7/feature/guide/gtclivws.html
>>>
>>>
>>> HTH.
>>>
>>> Marcelo Pinheiro
>>> On Wed, Dec 1, 2010 at 9:05 PM, Jack Router <pan.router_at_gmail.com>
>>> wrote:
>>>
>>> > Hello Experts,
>>> > I have hard time grasping the concept of privilege levels. For start,
>>> can
>>> > someone please explain how I can restrict a user to only one command.
>>> For
>>> > example specific user can ONLY do "sh ip int brief" ?
>>> > Thanks
>>> >
>>> >
>>> > Blogs and organic groups at http://www.ccie.net
>>> >
>>> > _______________________________________________________________________
>>> > Subscription information may be found at:
>>> > http://www.groupstudy.com/list/CCIELab.html
>>>
>>>
>>> Blogs and organic groups at http://www.ccie.net
>>>
>>> _______________________________________________________________________
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
Received on Wed Dec 01 2010 - 22:05:54 ART
This archive was generated by hypermail 2.2.0 : Sat Jan 01 2011 - 09:37:49 ART