Restricting access to specific Catalyst commands

john.parsons · ‎04-05-2002

Is it possible to restrict access to certain commands on a per user basis using Tacacs+ for AAA? Basically we would like to permit local support staff to move ports between existing VLAN's without letting them use any other commands. I have read about restricting commands at different levels but this appeared to give them access to all 'set' commands which would not be desirable.

Any information would be much appreciated. Thanks.

r-simpson · ‎04-11-2002

I don’t think your restrictions can be that granular. You might run it by Cisco. Does anyone else out there have any ideas?

dhirtz · ‎04-17-2002

I have not implemented the same restrictions on our catalyst switches like I have with our routers. But with TACACS+ and routers it is very granular. For Instance I can permit a user access to do a show run but deny everything else. If you tried to permit a user to do this with local priviledge levels you would end up giving them everything.

bookman · ‎04-25-2002

I know for sure, that if your using ACS in Unix you can specify by the attribute: "cmd" what a user can do. If u aply the attribute cmd in a users profile the default for him/her would be telnet. But before u do that u need to specify the prvl level for the user. You can set a user to prvl 1 and let him do, show ver, copy runing-config to tftp and so on. I think that all this options are available in Tacacs+ on a W2K but I can't tell for sure.

That's all. Hope this will help u.

Kostas