09-17-2013 05:16 AM - edited 03-04-2019 09:03 PM
In order to authorize level 7 users to execute the command clear line tty on a Cisco Router, I configured the following:
Router(config)# privilege exec level 7 clear line tty
but now the “clear line” is enabled with ALL the sub-options. Is it possible to filter and allow only one sub-option (i.e. tty)?
Thanks in advance,
Davide
09-17-2013 05:19 AM
You could put all of your sub options under a higher privilege level...
privilege exec level 8 clear line aux
privilege exec level 8 clear line cons
privilege exec level 8 clear line vty
etc...
HTH,
John
*** Please rate all useful posts ***
09-17-2013 05:31 AM
Hi John,
I've tried the following sequence:
privilege exec level 8 clear line aux
privilege exec level 8 clear line cons
privilege exec level 8 clear line vty
privilege exec level 7 clear line tty
but the “clear line” is still enabled with ALL the sub-options.
I've also tried the reverse sequence:
privilege exec level 7 clear line tty
privilege exec level 8 clear line aux
privilege exec level 8 clear line cons
privilege exec level 8 clear line vty
but now "clear" is no more enabled for level 7,
Davide
09-17-2013 05:52 AM
Davide,
This is interesting. From what I'm seeing, it's only taking effect on the "clear line" and not any of the sub-options. In fact, when you change the privilege level it changes the level for the main clear. I also tried this using views, and it's the same result. It looks like giving permissions to clear line gives permissions to everything under it. Below is the result from trying to configure it with a view:
R5(config-view)#do sh run | s parser
parser view Line
secret 5 $1$uqx0$YN3MOzb0yzwrRAlKs9RYU/
commands exec include clear line
commands exec include clear
R5(config-view)#commands exec exclude ?
LINE Keywords of the command
all wild card support
R5(config-view)#commands exec exclude clear line console
% Command present in 'include' mode
As you can see, I was trying to exclude clearing the console line, but it shows that it's included in the view already, but above it shows that it's only including the parent.
Maybe someone else has ran into this, but it doesn't look like it's a doable option.
Below is the change that's being made when trying to specify the sub-option. It changes the whole class:
R5(config)#do sh run | i privil
username test privilege 7 view Line password 0 test
privilege exec level 8 clear sampler
privilege exec level 7 clear line
privilege exec level 7 clear
R5(config)#privilege exec level 8 clear line console
R5(config)#do sh run | i privil
privilege exec level 8 clear sampler
privilege exec level 8 clear line
privilege exec level 8 clear
HTH,
John
*** Please rate all useful posts ***
09-17-2013 06:05 AM
Hi John, thanks a lot for your effort in trying to solve the question...
We're waiting for further help...
Davide
09-17-2013 07:13 AM
Disclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
An alternative approach would be to consider AAA with TACACS for granular command control.
09-18-2013 06:32 AM
Hi Joseph, thanks for your suggestion.Unfotunately we have a RADIUS server in our infrastructure, so we have to set this permission locally on network device.
Davide
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide