RE: priviledge levels [7:53723]
With AAA authorization, you can do just about everything (with some
caveats).
You can even give a user privilege level 15 and he/she still can not go
into the
"configuration t" mode: Here is what you put on the router:
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization commands 0 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa authorization network default group tacacs+ if-authenticated
Here is what you do in the tac_plus configuration file:
user = biteme {
member = regular
name = "biteme"
global = des dkdkdd)DSKDs
expires = "Dec 31 2002"
}
group = regular {
cmd = configure { deny .* }
cmd = disable { permit .* }
cmd = telnet { permit .* }
cmd = debug { permit .* }
}
"Blair, Philip S"
wrote:I'm quite sure you could accomplish your goals with TACACS and aaa
authorization, is that out of the question?
-Original Message-
From: Adam Hickey [mailto:[EMAIL PROTECTED]]
Sent: Friday, September 20, 2002 12:52 PM
To: [EMAIL PROTECTED]
Subject: priviledge levels [7:53723]
All,
I want to configure a special priviledge level for our NOC in all our cisco
devices to basically have all commands except config. Looking at cco, if you
allow sh run at any priv level other than , the user will only be able to
see
the commands they can configure which defeats the purpose. Anyone know a way
around this - so the NOC can have say a level 14 access and be able to see
the
entire running-config without being able to configure anything?
thx
Adam
Do you Yahoo!?
New DSL Internet Access from SBC & Yahoo!
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=53740&t=53723
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: priviledge levels [7:53723]
You can do this with TACACS among other things. Although, working in ops right now, I would protest with having only read permissions for production devices ;-) hth, Mark. > -Original Message- > From: Adam Hickey [mailto:[EMAIL PROTECTED]] > Sent: Saturday, 21 September 2002 02:52 > To: [EMAIL PROTECTED] > Subject: priviledge levels [7:53723] > > > All, > > I want to configure a special priviledge level for our NOC in > all our cisco > devices to basically have all commands except config. Looking > at cco, if you > allow sh run at any priv level other than , the user will > only be able to see > the commands they can configure which defeats the purpose. > Anyone know a way > around this - so the NOC can have say a level 14 access and > be able to see > the > entire running-config without being able to configure anything? > > thx > Adam Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=53738&t=53723 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: priviledge levels [7:53723]
You can use cisco secure acs. This allows you to restrict commands per user or per group attributes. But if not, make a privilege level such as 7 and put commands for that level to execute. This will keep them from entering a config command. To test just login via telnet and after going into enable mode type enable 7 and try the commands. Verfiy the privilege by show privilege. You can also make your console port privilege level seven by typing in privilege level 7 under line con 0. -Drew -Original Message- From: Adam Hickey [mailto:[EMAIL PROTECTED]] Sent: Friday, September 20, 2002 12:52 PM To: [EMAIL PROTECTED] Subject: priviledge levels [7:53723] All, I want to configure a special priviledge level for our NOC in all our cisco devices to basically have all commands except config. Looking at cco, if you allow sh run at any priv level other than , the user will only be able to see the commands they can configure which defeats the purpose. Anyone know a way around this - so the NOC can have say a level 14 access and be able to see the entire running-config without being able to configure anything? thx Adam Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=53732&t=53723 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: priviledge levels [7:53723]
viewing the Running-Config requires level 15 privilege which allows the user to change the config. But try the Startup-Config. You can assign it to any privilege level. If they are not going to change the config, most of times the startup-config and the running are the same. HTH Hamid ""Adam Hickey"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > All, > > I want to configure a special priviledge level for our NOC in all our cisco > devices to basically have all commands except config. Looking at cco, if you > allow sh run at any priv level other than , the user will only be able to see > the commands they can configure which defeats the purpose. Anyone know a way > around this - so the NOC can have say a level 14 access and be able to see > the > entire running-config without being able to configure anything? > > thx > Adam Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=53729&t=53723 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: priviledge levels [7:53723]
I'm quite sure you could accomplish your goals with TACACS and aaa authorization, is that out of the question? -Original Message- From: Adam Hickey [mailto:[EMAIL PROTECTED]] Sent: Friday, September 20, 2002 12:52 PM To: [EMAIL PROTECTED] Subject: priviledge levels [7:53723] All, I want to configure a special priviledge level for our NOC in all our cisco devices to basically have all commands except config. Looking at cco, if you allow sh run at any priv level other than , the user will only be able to see the commands they can configure which defeats the purpose. Anyone know a way around this - so the NOC can have say a level 14 access and be able to see the entire running-config without being able to configure anything? thx Adam Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=53727&t=53723 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
