Read Write access priviledge

csn000004 · ‎10-29-2015

Dear All,

My query is that can Cisco devices (Router,Switch,ASA) can be authenticated by two persons password at a same time in order to change any configuration (means when read write access is required). Requirement is that not a single user can change the configuration of the devices, there must be 2 users authentication required to edit the configuration. ACS is already running in my environement, users are authenticated by ACS.

I just want to know that if there is any solution available in the market. Please respond.

AFROJ AHMAD · ‎11-01-2015

Hi ,

I think , yes you can do it . you need to have 2 SNMPv3 users configured on the device and both the user should be the part of the Guroup which have the RW access.

Thanks-

Afroz

**Rating Encourages Contributors ****

Thanks- Afroz [Do rate the useful post] ****Ratings Encourages Contributors ****

csn000004 · ‎11-01-2015

Dear Afroj

Can you please describe this solution in detailed? didnt get your point.

AFROJ AHMAD · ‎11-01-2015

Hi ,

create 2 user like below on the switch ::

Switch(config)#snmp-server view myview iso included

Create SNMP v3 Group:

Switch(config)#snmp-server group cisconms v3 auth read myview write myview
Switch(config)#snmp-ser
Switch(config)#snmp-server user
Switch(config)#snmp-server user cisco ?
WORD Group to which the user belongs

Create SNMP user:

Switch(config)#snmp-server user cisco cisconms v3 auth md5 cisco123 priv 3des 123cisco

Switch# sh run | i snmp

snmp-server group cisconms v3 auth read myview write myview

Switch#show snmp user

User name: cisco
Engine ID: 8000000903000021568D2A81
storage-type: nonvolatile active
Authentication Protocol: MD5
Privacy Protocol: 3DES
Group-name: cisconms

then check if it works, i haven't tested but it looks straight forward

Thanks-

Afroz

**Ratings Encourages Contributors ***

Thanks- Afroz [Do rate the useful post] ****Ratings Encourages Contributors ****