cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
508
Views
0
Helpful
3
Replies
Highlighted
Beginner

user access

Hi all;


I need your help please; I have 2 groups of admin users to manage my Cisco routers and switches each group with different level,

- one of them have full access privileges 15 (OSPF; BGP; IP addresses...) no problem for this grape

- the second one should have less access, he can change the config of some interfaces but not for the WAN interfaces for examples; he should not touch to routing protocols...


any idea how to configure for the second group?


regards.

3 REPLIES 3
Highlighted
Hall of Fame Guru

You can use role-based cli access.

I don't believe you can differentitate between interfaces once you give the rights to a given view (user level) to do interface level configuration, so your WAN routers may have some limitation in that regard.

Here are a couple of links explaining it in more detail:

http://www.cisco.com/en/US/docs/ios/12_3t/12_3t7/feature/guide/gtclivws.html

https://www.packetmischief.ca/2015/03/13/role-based-access-control-in-ios/

Highlighted

thanks for your reply Marvin;

that what I found befor, so I think that ther is no solution to give access to some interfaces only.

regards

Highlighted

You're welcome.

You could stitch something together externally with some network automation.

Something homegrown like read-only script in a repository that allows an authenticated lower-privileged operator to execute a pre-defined set of allowed changes. You would use something like sshkey for authentication between the host running the script and the switch or router.

Higher level of abstraction systems like Tail-F (now Cisco NSO) can also do this as part of their automation and orchestration capabilities.

Content for Community-Ad