Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
780
Views
0
Helpful
4
Replies

Set up different privileges on router

Andy White
Level 3
Level 3

‎03-08-2012 05:57 AM - edited ‎03-07-2019 05:26 AM

Hello,

We have a Cisco 1841 router that requires 2 levels of access, at the moment we have network admins logging in with a single username via SSH and with privilege 15 but we also need our helpdesk to login to run certain commands but not chaneg anything, is this possible?

I'm sure if I see an example then it will make soem sense.

Regards

Labels:
0 Helpful
4 Replies 4

Kevin Dorrell
Level 10
Level 10

‎03-08-2012 06:15 AM

There are two ways of doing this:

  1. with privilege levels, wich I find quite difficult configure and manage,
  2. with CLI views, which are much more flexible, and allow to to say which individual commands a particular user is allowed to use.

Here is a doc to get you started:

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_usr_cfg/configuration/12-4t/sec-role-base-cli.html

Kevin Dorrell

Luxembourg

0 Helpful

Andy White
Level 3
Level 3
In response to Kevin Dorrell

‎03-08-2012 06:46 AM

Hi,

I've not heard of CLI views before.  I did have a go at configuring privileges lie below:

privilege configure level 3 interface

privilege exec level 3 show ip interface brief

privilege exec level 3 show ip interface

privilege exec level 3 show ip

privilege exec level 3 show running-config

privilege exec level 3 show

privilege exec level 3 exit

You can see the commands I want the helpdesk to use, is this something a view can do then?

PS I forgot to mention I'm trying to combine this with Windows radius too (Windows 2008)

Thanks

0 Helpful

Kevin Dorrell
Level 10
Level 10
In response to Andy White

‎03-08-2012 07:15 AM

Yes, CLI views can do that more or less, but in a different way.  Rather than assigning a hierarchical set of privilege levels, where if you have level 3 you have 2 and 1 as well, you define a set of commands that the view profile is allowed. You then attach the username to the view. Each view profile sees only its own available commands; there is no automatic inheritence of commands from the lower levels.

Kevin Dorrell

Luxembourg

0 Helpful

Andy White
Level 3
Level 3
In response to Kevin Dorrell

‎03-08-2012 07:50 AM

This does sound good!

I have just been asked, can we have the usual admin priv 15 on an account, which I said yes and then I have been asked if this "custom" user can just do "show run" and "shut" and "no shut" on ports?

Thanks

0 Helpful
Customers Also Viewed These Support Documents
Top