Tom, The best way (abeit not the easiest) to get this done is via TACACS. Set up a TACACS box with Cisco Freeware version (if you are a cheap skate like myself). Furthermore, you need to implement AAA authorization on the router for this to work. With AAA aauthorization, you can even restrict users from seeing the configuration even if he/she has enable privilege. Here is a sample of what is needed to be configured on the router:
aaa new-model aaa authentication login default group tacacs+ local enable aaa authentication login usenone none aaa authentication enable default group tacacs+ enable aaa authorization commands 0 default group tacacs+ if-authenticated aaa authorization commands 15 default group tacacs+ if-authenticated none aaa accounting send stop-record authentication failure aaa accounting exec default start-stop group tacacs+ aaa accounting commands 0 default start-stop group tacacs+ aaa accounting commands 1 default start-stop group tacacs+ aaa accounting commands 15 default start-stop group tacacs+ The TACACS server is where you restrict user access to the router. For example, I have a user name "reg". This user can has access to the privilege mode; however, this user can NOT use the "show running" to view the configuration. The drawback to AAA authorization, at least in the way I implement it is that if the router somehow, loses connectivity to the TACACS server, user "reg" can have complete control of the router. However, in almost all cases, the router is configured to have at least 2 TACACS servers for redundancy. Here is a snip of the login sequence for user "reg": User Access Verification Username: reg Password: ACCESS-SERVER>en Password: ACCESS-SERVER#conf t Command authorization failed. ACCESS-SERVER# TACACS server is very powerful and flexible. However, Cisco TACACS Freeware doesn't have a lot of documentation so your learning curve might be steep. It takes me a while to learn it since my Unix skill isn't that great to begin with. But I have to say that this freeware is rock solid. Let me know if you have questions. ----- Original Message ----- From: "IT Guy" To: Sent: Tuesday, November 27, 2001 4:18 AM Subject: Typical Access Server setting [7:27437] > Hi guys, > > Need your help to setup my Access server. > I need to setup My Access server router(16 ports) such that two different > users can get different access rights when access the Rack routers > (different routers)thorugh these Access server. > For example I want User-A to give access to only Basic mode and restric him > by using enable mode or seeeing any configurations in Access server. > On the other hand, I want other user to have full access.. > > Any idea how to setup this?? > > Thanks for help > > Tom > > _________________________________________________________________ > Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=27459&t=27437 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
