01-30-2011 12:27 AM - edited 03-10-2019 05:46 PM
Hi all experts .
I know its a very common question but pls guide me
i have created a username "Support" and want to allow him full view of running configuration and any show command he runs. But he should'nt be able to enter config mode to prevent him from doing any configuration. I dont want to use role based views, is there any simple aaa command for that ? if not then surely i have to use role based views
01-30-2011 10:31 AM
What version of what operating system are you running (e.g., IOS, NX-OS...)
01-31-2011 12:39 AM
Dear Sir,
Sorry i forgot to mention that. I am using the following versions on my hub and branch routers
c180x-adventerprisek9-mz.124-20.T
c1841-advsecurityk9-mz.124-20.T
c3845-advsecurityk9-mz.124-22.T2
Kindly guide me
01-31-2011 12:50 AM
hi,
What are you using as authentication server.
you can configure read only access via ACS. the following link describes the same:
Regards,
Anisha
P.S.: please mark this thread as resolved if you feel your query is answered.
01-31-2011 08:46 PM
Dear Sir,
I have configured restrictions through ACS. But i am considering the scenario in which link to ACS fails and user needs to login via local account. In that case i want to prevent him from enter config mode.
Kindly guide me
01-31-2011 09:12 PM
These commands are required on an IOS router or switch in order to implement command authorization through an ACS server:
aaa new-model
aaa authorization config-commands
aaa authorization commands 0 default group tacacs+ local
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
tacacs-server host 1.1.1.1
tacacs-server key cisco123
Now if tacacs goes down and you want user to deny access to config mode. Please try this;
username john privilege 7 password doe
privilege exec level 8 configure terminal
Please make sure that the user privilege should always less then the command privilege in order to restrict it via local database.
Rgds, Jatin
Do rate helpful posts~
02-01-2011 09:03 PM
Dear Sir,
Pls let me clear my requirement again.
I want to assign user rights to view complete running configuration, but he should'nt be able enter config mode. I want to configure this on cli. I am using ACS but please forget it for a moment.
If i do this
username support priv 14 secret cisco123
now when i login using above username, i enter directly priv 14. When i type sh run, it gives me authorization failed. Please i want to do the following
I want to restrict access to config term command but should be able to view complete running config
02-02-2011 01:01 AM
Well, you're talking about LOCAL authorization now in this case you have two options
1.] Either increase the privelege level of the local user to 15
username support priv 15 secret cisco123
2.] Or decrease the privelege level of SH RUN command to 14 like this;
privilege exec level 14 show running
NOTE: SH RUN is a level 15 command.
Rgds, Jation
Do rate helpful posts~
02-02-2011 07:19 AM
Hi Jonn,
Hope you are doing good.
The IOS is designed in a manner that there are priv for both the commands and the user.
A command can be executed by a user if the priv level of the command is same or lower than the users priviliedge level.
show running-config is a command of priv level 15. The user created by you has priv level 14.
As the priv level of the user is less than that of the command, the command cannot be executed by that user.Hence the IOS will throw an error of "authorization failed".
If we wish to accomplish your requirement, then there are two options:
1. lower the priv of the command
2. increase the priv of the user.
hope this makes a few things clear.
Regards,
Anisha
- do rate helpful posts.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide