Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1152
Views
0
Helpful
6
Replies

Centrally manage privilege level permissions on network device (Cisco)

santoshbajimaya
Level 1
Level 1

‎12-05-2018 08:07 AM

Hello Everyone,

I have recently setup privilege level permissions on my network cisco switches. The problem is that we have about 15 devices now. So, if we need to edit any permissions for privilege level, we need to go through all those switches and update it manually. It is time consuming and may be in future if the number of network devices increases, it will be worse. 

I want to know do we have any centrally manageable mechanism with which we can update all the switches for the privilege level permission at once?

I have a radius server which authenticates our network switches with our AD.

Thank You.

Labels:
0 Helpful
6 Replies 6

Seb Rupik
VIP Alumni
VIP Alumni

‎12-05-2018 08:34 AM

Hi there,

The answer is yes. Are you using freeRADIUS? You can push the privilege-lvel attribute from either AD or freeRADIUS depending on your configuration:

 

https://www.cisco.com/c/en/us/support/docs/security-vpn/remote-authentication-dial-user-service-radius/116291-configure-freeradius-00.html

https://www.cisco.com/c/en/us/support/docs/security-vpn/remote-authentication-dial-user-service-radius/13860-PRIV.html

 

cheers,

Seb.

0 Helpful

santoshbajimaya
Level 1
Level 1
In response to Seb Rupik

‎12-05-2018 10:58 AM

Hello Seb,

 

Thank you for the reply. I am using NPS radius server for authentication.

I went through the article you suggested but really did not find the answer i was looking for. 

Actually, my concern is we have configured a privilege level for certain commands in our network switches, same as in our article that shows some commands configured for level 7 users. 

Now, if you want that level 7 users to have access to all the show commands, you would do;

privilege exec all level 7 show

This command has to be executed in all the switches one by one for privilege level 7; manually. .Is there a way where i can update command in one place and get updated in all the switches?

Thank You.

0 Helpful

Seb Rupik
VIP Alumni
VIP Alumni
In response to santoshbajimaya

‎12-05-2018 11:55 PM

ah, I see what you are after.... I which case use a script.

 

I wrote the following one for someones question on this forum:

 

#!/usr/bin/env python3
import getpass
import csv
import netmiko
import paramiko
from argparse import ArgumentParser

def main():
    parser = ArgumentParser(description='Arguments for running oneLiner.py')
    parser.add_argument('-c', '--csv', required=True, action='store', help='Location of CSV file')
    args = parser.parse_args()

    ssh_username = input("SSH username: ")
    ssh_password = getpass.getpass('SSH Password: ')

    with open(args.csv, "r") as file:
    reader = csv.DictReader(file)
    for device_row in reader:
        try:
            ssh_session = netmiko.ConnectHandler(device_type='cisco_ios', ip=device_row['device_ip'],
            username=ssh_username, password=ssh_password)

            print("+++++ {0} +++++".format(device_row['device_ip']))
            ssh_session.send_command("terminal length 0")
            print(ssh_session.send_command("privilege exec all level 7 show"))
            ssh_session.send_command("terminal length 30")
            ssh_session.disconnect()

        except (netmiko.ssh_exception.NetMikoTimeoutException,
                netmiko.ssh_exception.NetMikoAuthenticationException,
                paramiko.ssh_exception.SSHException) as s_error:
            print(s_error)

if __name__ == "__main__":
 main()

https://github.com/sebrupik/srupik-apic-em-tools/blob/master/frozenPony/src/oneLinerSimple.py

 

You need to pass it a CSV file in the following format:

device_ip
1.1.1.1
1.1.1.2
1.1.1.3

 

From the local directory run it with:

# python3 oneLiner.py -c your_ips.csv

 

It would be easy to extend it to send a block on config commands if you needed to, or to add another column to the CSV file which contained the command you wanted to run on that particular device.

 

cheeers,

Seb.

0 Helpful

santoshbajimaya
Level 1
Level 1
In response to Seb Rupik

‎12-06-2018 09:47 AM

Thank you for the information. I believe i forgot to tell that all my servers are Windows based. I believe the script that you suggested is a Linux script. 

0 Helpful

Seb Rupik
VIP Alumni
VIP Alumni
In response to santoshbajimaya

‎12-06-2018 01:00 PM

It is a python3 script, which is portable across a multitude of platforms, including windows:

https://www.python.org/downloads/windows/

 

...once you have the runtime installed you will be able to run the script from the command prompt.

If you want to take your python scripting further I recommend you use a good IDE. I would suggest pycharm:

https://www.jetbrains.com/pycharm/download/#section=windows

 

Cheers,

Seb.

 

 

0 Helpful

santoshbajimaya
Level 1
Level 1
In response to Seb Rupik

‎12-06-2018 01:56 PM

Thank you for the information.. I will try it and update if it worked.

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card