https://community.cisco.com/t5/network-access-control/read-only-access-to-switches/m-p/2142873#M133438 <HTML><HEAD></HEAD><BODY><P>you need to change the exec privelege level for the commands based on your need</P><P>and then assign the user to the privilege level needed using the command</P><P></P><P>R(config)#username &lt; username&gt; privilege &lt; 0 -15&gt;&nbsp; password <PASSWORD></PASSWORD></P><P></P><P>how to change the priv level of a command</P><P></P><P>R(config)#privilege exec level &lt;0 15 &gt; <COMMAND></COMMAND></P><P></P><P>But this is a headache man.</P><P></P><P>---------------------------------------------------------------------------</P><P>Please make sure to rate correct answers</P></BODY></HTML> Thu, 14 Mar 2013 13:41:01 GMT maldehne 2013-03-14T13:41:01Z https://community.cisco.com/t5/network-access-control/read-only-access-to-switches/m-p/2142868#M133297 <P>Hi,</P><P></P><P>I'm trying to figure out what is the best way to limite access to Cisco switch. I'm using AAA and radius for authentication.</P><P></P><P>My goal is to create a user that will have only "enable" access (all the show commands, etc..). I would like to deny access to "configure terminal" and some other commands like "reload".</P><P></P><P>What is the best way to do that ? I'm reading about privileges and it doesn't seem to be powerful. </P><P></P><P>I read a little about Role-based access and views but before starting to configure and test this, I would like to have your hint on this.</P><P></P><P></P><P>Thank you</P> Wed, 13 Mar 2019 00:41:36 GMT https://community.cisco.com/t5/network-access-control/read-only-access-to-switches/m-p/2142868#M133297 Vinny 2019-03-13T00:41:36Z https://community.cisco.com/t5/network-access-control/read-only-access-to-switches/m-p/2142869#M133319 <HTML><HEAD></HEAD><BODY><P>The best way to do this is with a TACACS+ server where you can utilize "command shells" where certain commands are allowed while others not. Radius does not have this functionality and you can only push a "privilege-level" attribute. Thus, if you want to restrict commands then you will have to define those locally on every switch. </P><P></P><P>Let me know if this makes sense and/or if you have more quesions. </P><P></P><P><EM>Thank you for rating!</EM></P></BODY></HTML> Thu, 14 Mar 2013 04:38:56 GMT https://community.cisco.com/t5/network-access-control/read-only-access-to-switches/m-p/2142869#M133319 nspasov 2013-03-14T04:38:56Z https://community.cisco.com/t5/network-access-control/read-only-access-to-switches/m-p/2142870#M133343 <HTML><HEAD></HEAD><BODY><P>You are saying that I can do it locally on switches, what is the best way for that ?</P><P></P><P>thanks</P></BODY></HTML> Thu, 14 Mar 2013 13:02:33 GMT https://community.cisco.com/t5/network-access-control/read-only-access-to-switches/m-p/2142870#M133343 Vinny 2013-03-14T13:02:33Z https://community.cisco.com/t5/network-access-control/read-only-access-to-switches/m-p/2142871#M133382 <HTML><HEAD></HEAD><BODY><P>You can do that locally but the best to do is through Tacacs+ command authorization sets.</P><P></P><P>Check the following links:</P><P><A class="jive-link-external-small" href="http://www.cisco.com/en/US/partner/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml">http://www.cisco.com/en/US/partner/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml</A></P><P></P><P><A class="jive-link-external-small" href="http://www.cisco.com/en/US/partner/products/ps9911/products_configuration_example09186a0080bc8514.shtml">http://www.cisco.com/en/US/partner/products/ps9911/products_configuration_example09186a0080bc8514.shtml</A></P><P></P><P>-------------------------------------------------------------------------</P><P>Please make sure to rate correct answers</P></BODY></HTML> Thu, 14 Mar 2013 13:16:36 GMT https://community.cisco.com/t5/network-access-control/read-only-access-to-switches/m-p/2142871#M133382 maldehne 2013-03-14T13:16:36Z https://community.cisco.com/t5/network-access-control/read-only-access-to-switches/m-p/2142872#M133408 <HTML><HEAD></HEAD><BODY><P>I dont' have a tatacs+ server so I need to do it locally.</P><P></P><P>Thanks</P></BODY></HTML> Thu, 14 Mar 2013 13:19:54 GMT https://community.cisco.com/t5/network-access-control/read-only-access-to-switches/m-p/2142872#M133408 Vinny 2013-03-14T13:19:54Z https://community.cisco.com/t5/network-access-control/read-only-access-to-switches/m-p/2142873#M133438 <HTML><HEAD></HEAD><BODY><P>you need to change the exec privelege level for the commands based on your need</P><P>and then assign the user to the privilege level needed using the command</P><P></P><P>R(config)#username &lt; username&gt; privilege &lt; 0 -15&gt;&nbsp; password <PASSWORD></PASSWORD></P><P></P><P>how to change the priv level of a command</P><P></P><P>R(config)#privilege exec level &lt;0 15 &gt; <COMMAND></COMMAND></P><P></P><P>But this is a headache man.</P><P></P><P>---------------------------------------------------------------------------</P><P>Please make sure to rate correct answers</P></BODY></HTML> Thu, 14 Mar 2013 13:41:01 GMT https://community.cisco.com/t5/network-access-control/read-only-access-to-switches/m-p/2142873#M133438 maldehne 2013-03-14T13:41:01Z