Prevent access to config command

Jonn cos · ‎01-30-2011

Hi all experts .

I know its a very common question but pls guide me

i have created a username "Support" and want to allow him full view of running configuration and any show command he runs. But he should'nt be able to enter config mode to prevent him from doing any configuration. I dont want to use role based views, is there any simple aaa command for that ? if not then surely i have to use role based views

Javier Henderson · ‎01-30-2011

What version of what operating system are you running (e.g., IOS, NX-OS...)

Jonn cos · ‎01-31-2011

Dear Sir,

Sorry i forgot to mention that. I am using the following versions on my hub and branch routers

c180x-adventerprisek9-mz.124-20.T

c1841-advsecurityk9-mz.124-20.T

c3845-advsecurityk9-mz.124-22.T2

Kindly guide me

andamani · ‎01-31-2011

hi,

What are you using as authentication server.

you can configure read only access via ACS. the following link describes the same:

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml#scenario2

Regards,

Anisha

P.S.: please mark this thread as resolved if you feel your query is answered.

Jonn cos · ‎01-31-2011

Dear Sir,

I have configured restrictions through ACS. But i am considering the scenario in which link to ACS fails and user needs to login via local account. In that case i want to prevent him from enter config mode.

Kindly guide me

Jatin Katyal · ‎01-31-2011

These commands are required on an IOS router or switch in order to implement command authorization through an ACS server:

aaa new-model

aaa authorization config-commands

aaa authorization commands 0 default group tacacs+ local

aaa authorization commands 1 default group tacacs+ local

aaa authorization commands 15 default group tacacs+ local

tacacs-server host 1.1.1.1

tacacs-server key cisco123

Now if tacacs goes down and you want user to deny access to config mode. Please try this;

username john privilege 7 password doe

privilege exec level 8 configure terminal

Please make sure that the user privilege should always less then the command privilege in order to restrict it via local database.

Rgds, Jatin

Do rate helpful posts~

~Jatin

Jonn cos · ‎02-01-2011

Dear Sir,

Pls let me clear my requirement again.

I want to assign user rights to view complete running configuration, but he should'nt be able enter config mode. I want to configure this on cli. I am using ACS but please forget it for a moment.

If i do this

username support priv 14 secret cisco123

now when i login using above username, i enter directly priv 14. When i type sh run, it gives me authorization failed. Please i want to do the following

I want to restrict access to config term command but should be able to view complete running config

Jatin Katyal · ‎02-02-2011

Well, you're talking about LOCAL authorization now in this case you have two options

1.] Either increase the privelege level of the local user to 15

username support priv 15 secret cisco123

2.] Or decrease the privelege level of SH RUN command to 14 like this;

privilege exec level 14 show running

NOTE: SH RUN is a level 15 command.

Rgds, Jation

Do rate helpful posts~

~Jatin

andamani · ‎02-02-2011

Hi Jonn,

Hope you are doing good.

The IOS is designed in a manner that there are priv for both the commands and the user.

A command can be executed by a user if the priv level of the command is same or lower than the users priviliedge level.

show running-config is a command of priv level 15. The user created by you has priv level 14.

As the priv level of the user is less than that of the command, the command cannot be executed by that user.Hence the IOS will throw an error of "authorization failed".

If we wish to accomplish your requirement, then there are two options:

1. lower the priv of the command

2. increase the priv of the user.

hope this makes a few things clear.

Regards,

Anisha

- do rate helpful posts.