09-05-2024 07:46 AM - edited 09-05-2024 07:49 AM
Hello Professionals,
I would like to create one account for my team member with limited access rights.
On the controller, multiple SSIDs has been created and most of them are having L2 security authentication (mac filtering).
I would like to let user can access AAA-Advanced-Device Authentication so that he can make changes (add/delete) new device's mac address but rest of them, don't.
I read the Privilege level 7 can provide access permission, but could you share the samples?
- privilege exec level 7 'LINE'
Thank you for your time.
09-05-2024 08:04 AM
Have you looked at maybe automating this to make things easy? We ended up doing this where teams would request to add/update/delete mac address and that would need to get approval from the wireless team, then automation would perform the task. This way you don't have to worry about anything else. As far as trying to do what you want, that would just be testing on your part and see what the user can and can't do. Automation, would just allow for the add/remove/update and nothing else.
09-05-2024 08:44 AM
Thank you, Can you tell me more about automation? Is it required integrated tool such as Cisco ISE?
09-05-2024 10:25 AM
No.... you can always use some sort of automation like Python to ssh to the controller to make the change or if you are using ISE with mac-filtering you can do something there with the API's. It depends on your team and the skillset to build automation or else majority of things will need to be a manual change.
09-05-2024 08:09 AM
If you have ISE tacacs' then it easy to limit command the user can use.
Using privilege believe me is bad idea
MHM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide