Solved: Re: user acces to router

imnilesh · ‎02-21-2006

Hi;

In my enterprise network we having 55 locationa sn each location is connected to data center by 1800 router and each locatin we have FM engineer to manage the localsite.

my problem is we maninatn the amdn amnage the outer from data centre but some time we have to give acess to local Fm engineer to router.

for this can we have one user with specific rights for some command to run on router...if yes i want to give following rights for local engineer to see the router status i.e:

sh int s0/0

sh ip account output

sh int bri0/0

sh isdn act

thanks in advance.....

jorrala · ‎02-23-2006

hi,

Esta configuración lo puede ayudar:

username xxxx privilege 15 password xxxx

username xxxx privilege 5 password xxxx

privilege exec level 5 show interfase

privilege exec level 5 show ip accounting

privilege exec all level 5 show

line vty 0 4

password xxxx

login

View solution in original post

thisisshanky · ‎02-21-2006

Please check Privilege levels that work with AAA to make this to work.

http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a008009465c.shtml

Sankar

PS: please remember to rate posts!

Sankar Nair
UC Solutions Architect
Pacific Northwest | CDW
CCIE Collaboration #17135 Emeritus

jarathbu · ‎02-21-2006

Hello,

This can be done by assigning the commands to specific privilege levels and granting the FM engineer a login with the same privilege level. Additional information can be found:

http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a00803f3bb7.html

Also, if using an AAA solution to allow for local authentication as a fallback method in case the link is down and you need the FM engineer to access. Another option would be to have an out-of-band connection (e.g. modem) to the console of the router and you can dial-in and get the necessary outputs.

Hope this helps.

Regards,

James

nethelper · ‎02-21-2006

Hello,

in addition to James´ and Sankar´s posts, you could also configure a menu, which is sort of a user-friendly screen with options from which your firewall engineer can choose. In the sample configuration below, the firewall engineer would logon to the router with the following command:

telnet x.x.x.x 3001

where x.x.x.x is the IP address of the router. Only one VTY (Telnet) line is reserved for the firewall engineer, leaving the other 4 VTY lines for you to access. Just make sure that when you try to telnet to the router, you specify another port (e.g. telnet x.x.x.x 3002).

When your firewall engineer logs on to the router with the username FW and the corresponding password, he (or she) will automatically be presented with the menu.

Obviously you will need to tell your engineer to use the (port 3001 in this example) correct syntax when telnetting, in order for the access to work correctly.

username FW password 0 cisco

username FW autocommand menu LOCALSITE

!

menu LOCALSITE title "Menu for FW engineers"

menu LOCALSITE prompt "Choose your selection: "

menu LOCALSITE text 1. Show interface serial0/0

menu LOCALSITE command 1. show interfaces serial0/0

menu LOCALSITE options 1. pause

menu LOCALSITE text 2. Show ip accounting output

menu LOCALSITE command 2. show ip accounting output

menu LOCALSITE options 2. pause

menu LOCALSITE text 3. Show interface bri0/0

menu LOCALSITE command 3. show interfaces bri0/0

menu LOCALSITE options 3. pause

menu LOCALSITE text 4. Show isdn active

menu LOCALSITE command 4. show isdn active

menu LOCALSITE options 4. pause

menu LOCALSITE text 5. Exit

menu LOCALSITE command 5. exit

menu LOCALSITE clear-screen

!

line vty 0

login local

rotary 1

Moving commands to a specific privilege level, as mentioned by James, would look like this (again, only one VTY line is reserved for your firewall engineer). In this sample configuration, the commands you specified are moved to the lowest exec level (0). When your firewall engineer telnets to the router with: