Segmentation of CLI users populations

droidsam_ · ‎12-21-2012

Hi folks,

I don't know if I writting on the right forum, excuse me for that, but I'll go straight to the point.

I was assigned the task to allocate the CLI commands per user basis, and by now the only options that I seem to found was role-based view and command privilege levels, but I am wondering if there is any other option that you know about.

Let me clarify myself, one of my goals is to create an user, called help-desk or whatever, that connects by an vty line and could only access to some resources of the Cisco devices, like for example, could run a "show running-config" and I would like that the result of it would be the prompt of full configuration without showing , for example, the aaa and usernames config.

Any help or directions would be very appreciated

PD: Sorry if you found some grammatical mistakes, my English is quite basic

And of course, if some further information is needed, I would be pleased of provide it.

Thank you in advance

Marvin Rhoads · ‎12-25-2012

Hi Samuel,

Your English is quite understandable and, yes, this is a good place to ask your question. Welcome.

From the installations that I have seen the command privilege levels approach is most commonly used for this sort of requirement.

It is pretty basic to set it up and described by Cisco in the IOS configuration guide and a few whitepapers on cisco.com. Some of the better illustrations of how to do this are on 3rd party sites. For example:

http://www.techrepublic.com/article/understand-the-levels-of-privilege-in-the-cisco-ios/5659259

http://www.packetu.com/2012/09/06/changing-privilege-levels-for-cisco-ios-commands/

Hope this helps.