07-12-2017 06:52 AM - edited 03-10-2019 12:51 AM
Hi all;
I need your help please; I have 2 groups of admin users to manage my Cisco routers and switches each group with different level,
- one of them have full access privileges 15 (OSPF; BGP; IP addresses...) no problem for this grape
- the second one should have less access, he can change the config of some interfaces but not for the WAN interfaces for examples; he should not touch to routing protocols...
any idea how to configure for the second group?
regards.
07-12-2017 06:46 PM
You can use role-based cli access.
I don't believe you can differentitate between interfaces once you give the rights to a given view (user level) to do interface level configuration, so your WAN routers may have some limitation in that regard.
Here are a couple of links explaining it in more detail:
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t7/feature/guide/gtclivws.html
https://www.packetmischief.ca/2015/03/13/role-based-access-control-in-ios/
07-13-2017 03:03 AM
thanks for your reply Marvin;
that what I found befor, so I think that ther is no solution to give access to some interfaces only.
regards
07-13-2017 10:20 AM
You're welcome.
You could stitch something together externally with some network automation.
Something homegrown like read-only script in a repository that allows an authenticated lower-privileged operator to execute a pre-defined set of allowed changes. You would use something like sshkey for authentication between the host running the script and the switch or router.
Higher level of abstraction systems like Tail-F (now Cisco NSO) can also do this as part of their automation and orchestration capabilities.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide