https://community.cisco.com/t5/network-access-control/aaa-ios-htts-cmd-authorization/m-p/1009411#M401478 <HTML><HEAD></HEAD><BODY><P>Charlie,</P><P>In order to access SDM, we would always need privilege level 15. </P><P></P><P></P><P>Regards,</P><P>~JG</P></BODY></HTML> Sun, 22 Jun 2008 03:01:42 GMT Jagdeep Gambhir 2008-06-22T03:01:42Z https://community.cisco.com/t5/network-access-control/aaa-ios-htts-cmd-authorization/m-p/1009410#M401477 <P>On my ACS SE 4.2 setup I have CMD Authorization set up and it works nice, Service Desk type cmds: show, clear, telnet, traceroute, exit and then another group with full access (all cmds permitted). both user groups have Priv. Levels = 15.</P><P>However, (there is always one) with SDM access via HTTPS it appears that all you need is Priv. Level 15 to run SDM and make any configuration changes.</P><P>With my current setup, a user in the NetDevOper group when Telnet'ed or SSH'ed has access to a few commands, i.e. clear crypto sessions.</P><P>If I change this group from Priv Level 15 to, say 14, then I will have to 'Demote' the Clear command to Priv Level 14 on each device so this group can do simple clear commands.</P><P>My other choice is to disable HTTP access altogether, which is what I am leaning towards. </P><P>Is there another option available?</P> Sun, 10 Mar 2019 22:55:22 GMT https://community.cisco.com/t5/network-access-control/aaa-ios-htts-cmd-authorization/m-p/1009410#M401477 charlie-hall 2019-03-10T22:55:22Z https://community.cisco.com/t5/network-access-control/aaa-ios-htts-cmd-authorization/m-p/1009411#M401478 <HTML><HEAD></HEAD><BODY><P>Charlie,</P><P>In order to access SDM, we would always need privilege level 15. </P><P></P><P></P><P>Regards,</P><P>~JG</P></BODY></HTML> Sun, 22 Jun 2008 03:01:42 GMT https://community.cisco.com/t5/network-access-control/aaa-ios-htts-cmd-authorization/m-p/1009411#M401478 Jagdeep Gambhir 2008-06-22T03:01:42Z https://community.cisco.com/t5/network-access-control/aaa-ios-htts-cmd-authorization/m-p/1009412#M401479 <HTML><HEAD></HEAD><BODY><P>Hi JG,</P><P></P><P>Thanks for your reply.</P><P>Do you know if there is a way to limit user access via HTTP(S) (SDM) so my Service Desk can use it, but cannot make configuration changes?</P><P>It appears to me that the IOS code for HTTP(S) (SDM) access is only checking to see if the user has Priv Level=15 and there is no other varibles being check.</P><P></P><P>If true, I will just disable HTTP(S) SDM access to the routers.</P><P></P><P>Thanks</P><P></P><P>Charlie </P></BODY></HTML> Mon, 23 Jun 2008 14:57:16 GMT https://community.cisco.com/t5/network-access-control/aaa-ios-htts-cmd-authorization/m-p/1009412#M401479 charlie-hall 2008-06-23T14:57:16Z