cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1040
Views
0
Helpful
3
Replies

ACE RBAC changeto vs. "sh run"

p.hruby
Level 1
Level 1

I have ACE30 in Cat6500 with several contexts configured.

I'd like to restrict some user to be able to access only one context and he should be able enter show commands in this one specific context only.

As soon as  I enable "changeto"  feature in Admin context, the user is able to enter "sh run" in all contexts.

My config:

Admin context:

     role PH-Test-role

            rule 11 permit monitor feature changeto

Resticted context:

     role PH-Test-role

Nonrestricted context:

     role PH-Test-role

          rule 1 permit monitor exec

          rule 2 permit monitor probe

          etc.

Only Admin context is configured for management (ssh, telnet) access.

With this configuration the specific user is able to execute "changeto Restricted" and is also able to execute "sh run" in Restricted context.

Is there a way how to disable show commands in Restricted context in this scenario?

Petr



3 Replies 3

Jorge Bejarano
Level 4
Level 4

Peter,

Here you have the details of the all existing roles:

http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/vA5_1_0/configuration/getting/started/guide/rbac.html#wp1029637

http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/vA5_1_0/command/reference/role.html

Probably something like:

rule deny monitor ...

Although if you have a user which cannot even run anyway show command, why would you create even it?

Jorge

Jorge,

rule deny monitor in resticted context doesn't help.

I forgot to mention that users are created on tacacs+/ACS server and roles are assigned via AV pair for them.

I think that the only way to solve my problem is to create management interface on specific context.

Thanks

Petr

Yes,

Probably you may try to do this by using the ACS features and restricts the tasks the users can/cannot do.

Jorge

Review Cisco Networking for a $25 gift card