Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1088
Views
0
Helpful
10
Replies

AAA question...user access to switch

Go to solution
the-lebowski
Level 4
Level 4

‎06-22-2011 09:20 AM - edited ‎03-07-2019 12:56 AM

I have a scenario where some users would the like the ability to change port vlan assignment which I am fine with.  However is there a way to limit which ports they can assign or what they can do overall?  Or is it all or nothing when allowing users that level of config changes?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Thotsaphon Lueangwattanaphong
Level 7
Level 7
In response to the-lebowski

‎06-22-2011 10:05 AM

Hi,

   Have you tried it?  You can do the following command for testing.  Let's say users will be assigned to privilege level 5.

!

aaa new-model

!

aaa authentication login default local

aaa authorization exec default local

!

username username privilege 5 password 0 abcd

!

privilege interface level 5 switchport mode access

privilege interface level 5 switchport access vlan

privilege configure level 5 interface

privilege exec level 5 configure terminal

privilege exec level 5 show running

!

      I think they would see types of interfaces. If you want to allow them to check what they have done, "show running" is fine.

HTH,

Toshi

View solution in original post

0 Helpful
10 Replies 10

Go to solution
Thotsaphon Lueangwattanaphong
Level 7
Level 7

‎06-22-2011 09:27 AM

Hi,

  You can define privilege levels for users. You can allow users to use specific commands you want. Just check out these links.

Ref:

http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a00800949d5.shtml

http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a008009465c.shtml

HTH,

Toshi

0 Helpful

Go to solution
the-lebowski
Level 4
Level 4
In response to Thotsaphon Lueangwattanaphong

‎06-22-2011 09:30 AM

I read that link already but it didnt make it clear to me.  Care to share an example of a local user account only given access to conf t, int gig X and switchport access vlan X?

Found this as well, much more in-depth:

http://www.cisco.com/en/US/docs/ios/12_2t/12_2t13/feature/guide/ftprienh.html

0 Helpful

Go to solution
Thotsaphon Lueangwattanaphong
Level 7
Level 7
In response to the-lebowski

‎06-22-2011 10:05 AM

Hi,

   Have you tried it?  You can do the following command for testing.  Let's say users will be assigned to privilege level 5.

!

aaa new-model

!

aaa authentication login default local

aaa authorization exec default local

!

username username privilege 5 password 0 abcd

!

privilege interface level 5 switchport mode access

privilege interface level 5 switchport access vlan

privilege configure level 5 interface

privilege exec level 5 configure terminal

privilege exec level 5 show running

!

      I think they would see types of interfaces. If you want to allow them to check what they have done, "show running" is fine.

HTH,

Toshi

0 Helpful

Go to solution
the-lebowski
Level 4
Level 4
In response to Thotsaphon Lueangwattanaphong

‎06-22-2011 10:16 AM

I tried it like that but the user is prompted for enable password after logging in.  Obivoulsy I don't want them to have that enable password and would prefer if they were just dropped into the enable prompt after logging in. 

However I don't have this statement in my config:

aaa authorication exec default local

0 Helpful

Go to solution
Thotsaphon Lueangwattanaphong
Level 7
Level 7
In response to the-lebowski

‎06-22-2011 10:19 AM

Hi,

   Just try commands I told you. Did you already have "aaa new-model" configured on it.  Please post the current configuration.

Toshi

0 Helpful

Go to solution
the-lebowski
Level 4
Level 4
In response to Thotsaphon Lueangwattanaphong

‎06-22-2011 10:34 AM

Important parts below, when I login as usera_admin it prompts me for the enable password.  Does privilege level matter? 

username usera_admin privilege 5 password 7 06170E701E1D5D

aaa new-model

!

!

aaa authentication login default local

!

!

privilege interface level 5 switchport

privilege configure level 5 interface

privilege exec level 5 configure terminal

privilege exec level 5 configure

privilege exec level 5 show vlan

privilege exec level 5 show

!

!

line con 0

line vty 0 4

access-class 10 in

exec-timeout 0 0

transport input ssh

line vty 5 15

!

end

0 Helpful

Go to solution
Thotsaphon Lueangwattanaphong
Level 7
Level 7
In response to the-lebowski

‎06-22-2011 10:52 AM

Hi,

   What do you mean "it prompts me for the enable password"?  You should see the output below after loggin in.

switch#

switch#show privilege

Current privilege level is 5

Toshi

0 Helpful

Go to solution
the-lebowski
Level 4
Level 4
In response to Thotsaphon Lueangwattanaphong

‎06-22-2011 11:11 AM

I mean when I login as usera_admin and enter the password I am greeted by the user prompt.

switch> and NOT switch#

SO I went ahead and added this line:

aaa authorization exec default local

And that did it.

switch#show privilege

Current privilege level is 5

sw4-data-ann#

Thank you!

0 Helpful

Go to solution
the-lebowski
Level 4
Level 4
In response to Thotsaphon Lueangwattanaphong

‎06-28-2011 10:29 AM

One more question, if I wanted to specify specific ports is there a way to do that without doing invdividual 'interface gi1/0/x, interface gi1/0/x, etc...'

Thanks

0 Helpful

Go to solution
Thotsaphon Lueangwattanaphong
Level 7
Level 7
In response to the-lebowski

‎06-28-2011 11:43 AM

Hi Dave,

    I think the device won't allow you to specific more than "privilege configure interface"

HTH,

Toshi

0 Helpful
Customers Also Viewed These Support Documents