Re: User admin account privilege with conditions

eeebbunee · ‎09-05-2024

Hello Professionals,

I would like to create one account for my team member with limited access rights.
On the controller, multiple SSIDs has been created and most of them are having L2 security authentication (mac filtering).

I would like to let user can access AAA-Advanced-Device Authentication so that he can make changes (add/delete) new device's mac address but rest of them, don't.

I read the Privilege level 7 can provide access permission, but could you share the samples?

- privilege exec level 7 'LINE'

Thank you for your time.

Scott Fella · ‎09-05-2024

Have you looked at maybe automating this to make things easy? We ended up doing this where teams would request to add/update/delete mac address and that would need to get approval from the wireless team, then automation would perform the task. This way you don't have to worry about anything else. As far as trying to do what you want, that would just be testing on your part and see what the user can and can't do. Automation, would just allow for the add/remove/update and nothing else.

-Scott
*** Please rate helpful posts ***

eeebbunee · ‎09-05-2024

Thank you, Can you tell me more about automation? Is it required integrated tool such as Cisco ISE?

Scott Fella · ‎09-05-2024

No.... you can always use some sort of automation like Python to ssh to the controller to make the change or if you are using ISE with mac-filtering you can do something there with the API's. It depends on your team and the skillset to build automation or else majority of things will need to be a manual change.

-Scott
*** Please rate helpful posts ***

MHM Cisco World · ‎09-05-2024

If you have ISE tacacs' then it easy to limit command the user can use.

Using privilege believe me is bad idea

MHM