Apologies Haval.Darwesh - I

Haval.Darwesh · ‎07-26-2016

Hello;

please I want to disable (reload, erase and copy) from VTY lines, I do not want users can run this command.

how?

thanks

Luke Oxley · ‎07-27-2016

[@Haval.Darwesh],

Thanks for your post. You can assign users a privilege level when you create them (assuming that you are using a local user database for authentication). Privilege level 15 gives you access to all commands where as privilege level 1 only gives you access to user exec commands. An example would be as per the below.

username user1 privilege 1 password Pass123

When this user now logs in to the VTY, they would only be able to use the following command sets.

Router1>?
Exec commands:
<1-99>           Session number to resume
access-enable    Create a temporary Access-List entry
access-profile   Apply user-profile to interface
clear            Reset functions
connect          Open a terminal connection
crypto           Encryption related commands.
disable          Turn off privileged commands
disconnect       Disconnect an existing network connection
enable           Turn on privileged commands
exit             Exit from the EXEC
help             Description of the interactive help system
lock             Lock the terminal
login            Log in as a particular user
logout           Exit from the EXEC
name-connection Name an existing network connection
ping             Send echo messages
rcommand         Run command on remote switch
release          Release a resource
renew            Renew a resource
resume           Resume an active network connection
set              Set system parameter (not config)
show             Show running system information
ssh              Open a secure shell client connection
systat           Display information about terminal lines
tclquit          Quit Tool Command Language shell
telnet           Open a telnet connection
terminal         Set terminal line parameters
traceroute       Trace route to destination
tunnel           Open a tunnel connection
where            List active connections

I hope that helps.

Luke

Please rate helpful posts and mark correct answers.

Haval.Darwesh · ‎07-27-2016

Thanks Luke for your answer;

I know how privilege works...

here is my situation: I want to share real switches and routers with my students, but I do not want them to be able to (reload, erase and save configuration), they can access devices using telnet or SSH.

how I can do that?

Luke Oxley · ‎07-27-2016

Hey [@Haval.Darwesh],

I do understand your issue, however this is the very reason why Cisco created privilege levels, so that different people can have different levels of access to a device.

If you create your students a user account with privilege level 1 then they will not be able to reload, erase configuration or save configuration. Is this not what you require?

username students privilege 1 password Pass123

Regards,

Luke

Please rate helpful posts and mark correct answers.

Haval.Darwesh · ‎07-27-2016

thanks Luke;

great answer, I even tried with privilege level 14, at that time users can not do most configurations that I need, privileges not working for me, I think if there is a way to disable only (reload,erase and copy) from privilege level 15, I think it is the only way.

thanks

Luke Oxley · ‎07-27-2016

Apologies [@Haval.Darwesh] - I must admit that it is a strange requirement as typically if you want to restrict access to functions such as reload you would also want to restrict access to configuration commands for security.

Cisco does indeed allow you to define what commands a certain user can run with something called parser view. A basic example of some parser view configuration would be the below.

Router1(config)# aaa new-model
Router1(config)# aaa authorization exec default local
Router1(config)# exit
Router1(config)# aaa new-model
Router1(config)# exit
Router1# enable view
Router1# configure terminal
Router1(config)# parser view STUDENTS
Router1(config-view)# secret Pass123
Router1(config-view)# commands exec include ping
Router1(config-view)# commands exec include traceroute

You may have to tweak this to your requirements, but this should achieve what you're looking for. There is a simple guide explaining how to set it up in the link below.

www.youtube.com/watch?v=jGBreLdwPKI

Thanks,

Luke

Please rate helpful posts and mark correct answers.

Haval.Darwesh · ‎07-27-2016

thanks for your answer;

I hope this one works for me... I will try it let me if works or not.

many thanks

but, don't you think there should be someway to do that? or if not available should be added in new cisco IOS, as I think it is important to admins to restrict or disable some commands.

Luke Oxley · ‎07-27-2016

No problem, hopefully parser view can be tailored to your needs. I do agree that this should be a better developed feature.

Please let me know how you get along.

Thanks,

Luke

Please rate helpful posts and mark correct answers.

Haval.Darwesh · ‎07-31-2016

Hello Luke;

really I do not have enough time to test it till now...

when I check it I will inform you...

thanks for asking

regards

Haval

Luke Oxley · ‎07-29-2016

VTY restriction

[@Haval.Darwesh],

When this user now logs in to the VTY, they would only be able to use the following command sets.

I hope that helps.

Luke

Please rate helpful posts and mark correct answers.

Hey [@Haval.Darwesh],

I do understand your issue, however this is the very reason why Cisco created privilege levels, so that different people can have different levels of access to a device.

If you create your students a user account with privilege level 1 then they will not be able to reload, erase configuration or save configuration. Is this not what you require?

Regards,

Luke

Please rate helpful posts and mark correct answers.

Apologies [@Haval.Darwesh] - I must admit that it is a strange requirement as typically if you want to restrict access to functions such as reload you would also want to restrict access to configuration commands for security.

Cisco does indeed allow you to define what commands a certain user can run with something called parser view. A basic example of some parser view configuration would be the below.

You may have to tweak this to your requirements, but this should achieve what you're looking for. There is a simple guide explaining how to set it up in the link below.

www.youtube.com/watch?v=jGBreLdwPKI

Thanks,

Luke

Please rate helpful posts and mark correct answers.

No problem, hopefully parser view can be tailored to your needs. I do agree that this should be a better developed feature.

Please let me know how you get along.

Thanks,

Luke

Please rate helpful posts and mark correct answers.

[@Haval.Darwesh],

Have you had a chance to test this as per our conversation? I look forward to hearing back.

Kind regards,

Luke

Please rate helpful posts and mark correct answers.