Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5032
Views
10
Helpful
5
Replies

Read-only access to switches

Vinny
Level 1
Level 1

‎03-13-2013 11:42 AM - edited ‎03-12-2019 05:41 PM

Hi,

I'm trying to figure out what is the best way to limite access to Cisco switch. I'm using AAA and radius for authentication.

My goal is to create a user that will have only "enable" access (all the show commands, etc..). I would like to deny access to "configure terminal" and some other commands like "reload".

What is the best way to do that ? I'm reading about privileges and it doesn't seem to be powerful.

I read a little about Role-based access and views but before starting to configure and test this, I would like to have your hint on this.

Thank you

1 person had this problem
Labels:
0 Helpful
5 Replies 5

nspasov
Cisco Employee
Cisco Employee

‎03-13-2013 09:38 PM

The best way to do this is with a TACACS+ server where you can utilize "command shells" where certain commands are allowed while others not. Radius does not have this functionality and you can only push a "privilege-level" attribute. Thus, if you want to restrict commands then you will have to define those locally on every switch.

Let me know if this makes sense and/or if you have more quesions.

Thank you for rating!

Thank you for rating helpful posts!
0 Helpful

Vinny
Level 1
Level 1
In response to nspasov

‎03-14-2013 06:02 AM

You are saying that I can do it locally on switches, what is the best way for that ?

thanks

0 Helpful

maldehne
Cisco Employee
Cisco Employee
In response to Vinny

‎03-14-2013 06:16 AM

You can do that locally but the best to do is through Tacacs+ command authorization sets.

Check the following links:

http://www.cisco.com/en/US/partner/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml

http://www.cisco.com/en/US/partner/products/ps9911/products_configuration_example09186a0080bc8514.shtml

-------------------------------------------------------------------------

Please make sure to rate correct answers

Vinny
Level 1
Level 1
In response to maldehne

‎03-14-2013 06:19 AM

I dont' have a tatacs+ server so I need to do it locally.

Thanks

0 Helpful

maldehne
Cisco Employee
Cisco Employee
In response to Vinny

‎03-14-2013 06:41 AM

you need to change the exec privelege level for the commands based on your need

and then assign the user to the privilege level needed using the command

R(config)#username < username> privilege < 0 -15>  password

how to change the priv level of a command

R(config)#privilege exec level <0 15 >

But this is a headache man.

---------------------------------------------------------------------------

Please make sure to rate correct answers

Customers Also Viewed These Support Documents