topic Re: Prevent access to config command in Network Access Control

Prevent access to config command

Jonn cos — Mon, 11 Mar 2019 00:46:22 GMT

Hi all experts .

I know its a very common question but pls guide me

i have created a username "Support" and want to allow him full view of running configuration and any show command he runs. But he should'nt be able to enter config mode to prevent him from doing any configuration. I dont want to use role based views, is there any simple aaa command for that ? if not then surely i have to use role based views

Re: Prevent access to config command

Javier Henderson — Sun, 30 Jan 2011 18:31:48 GMT

What version of what operating system are you running (e.g., IOS, NX-OS...)

Re: Prevent access to config command

Jonn cos — Mon, 31 Jan 2011 08:39:22 GMT

Dear Sir,

Sorry i forgot to mention that. I am using the following versions on my hub and branch routers

c180x-adventerprisek9-mz.124-20.T

c1841-advsecurityk9-mz.124-20.T

c3845-advsecurityk9-mz.124-22.T2

Kindly guide me

Re: Prevent access to config command

andamani — Mon, 31 Jan 2011 08:50:53 GMT

hi,

What are you using as authentication server.

you can configure read only access via ACS. the following link describes the same:

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml#scenario2

Regards,

Anisha

P.S.: please mark this thread as resolved if you feel your query is answered.

Re: Prevent access to config command

Jonn cos — Tue, 01 Feb 2011 04:46:31 GMT

Dear Sir,

I have configured restrictions through ACS. But i am considering the scenario in which link to ACS fails and user needs to login via local account. In that case i want to prevent him from enter config mode.

Kindly guide me

Re: Prevent access to config command

Jatin Katyal — Tue, 01 Feb 2011 05:12:18 GMT

These commands are required on an IOS router or switch in order to implement command authorization through an ACS server:

aaa new-model

aaa authorization config-commands

aaa authorization commands 0 default group tacacs+ local

aaa authorization commands 1 default group tacacs+ local

aaa authorization commands 15 default group tacacs+ local

tacacs-server host 1.1.1.1

tacacs-server key cisco123

Now if tacacs goes down and you want user to deny access to config mode. Please try this;

username john privilege 7 password doe

privilege exec level 8 configure terminal

Please make sure that the user privilege should always less then the command privilege in order to restrict it via local database.

Rgds, Jatin

Do rate helpful posts~

Re: Prevent access to config command

Jonn cos — Wed, 02 Feb 2011 05:03:58 GMT

Dear Sir,

Pls let me clear my requirement again.

I want to assign user rights to view complete running configuration, but he should'nt be able enter config mode. I want to configure this on cli. I am using ACS but please forget it for a moment.

If i do this

username support priv 14 secret cisco123

now when i login using above username, i enter directly priv 14. When i type sh run, it gives me authorization failed. Please i want to do the following

I want to restrict access to config term command but should be able to view complete running config

Re: Prevent access to config command

Jatin Katyal — Wed, 02 Feb 2011 09:01:43 GMT

Well, you're talking about LOCAL authorization now in this case you have two options

1.] Either increase the privelege level of the local user to 15

username support priv 15 secret cisco123

2.] Or decrease the privelege level of SH RUN command to 14 like this;

privilege exec level 14 show running

NOTE: SH RUN is a level 15 command.

Rgds, Jation

Do rate helpful posts~

Re: Prevent access to config command

andamani — Wed, 02 Feb 2011 15:19:32 GMT

Hi Jonn,

Hope you are doing good.

The IOS is designed in a manner that there are priv for both the commands and the user.

A command can be executed by a user if the priv level of the command is same or lower than the users priviliedge level.

show running-config is a command of priv level 15. The user created by you has priv level 14.

As the priv level of the user is less than that of the command, the command cannot be executed by that user.Hence the IOS will throw an error of "authorization failed".

If we wish to accomplish your requirement, then there are two options:

1. lower the priv of the command

2. increase the priv of the user.

hope this makes a few things clear.

Regards,

Anisha

- do rate helpful posts.