07-19-2007 03:37 AM - edited 03-09-2019 06:25 PM
I have an admin user located at a remote site that will be connecting to my networks via VPN. He requires only read access to my switches, routers & firewall. Currently we connect to the devices on the network after authentication using AAA. I have a Windows 2003 Server running IAS Radius (Standard) that provides AAA.
How can I restrict his access once connected to the devices to read-only.
07-19-2007 05:03 AM
You can put him in non-privileged mode (level 1) without giving him the enable password, that will make sure he can't change anything, but he can use some show commands and run ping and traceroute.
If he needs access to any exec
access, for example to enter debug commands, you can assign him to a different privilege level (2-14), with radius, and then move the commands that he will use to that level using the privilege command.
07-19-2007 07:21 AM
How do I assign his privilege level using Microsoft IAS Radius server
Once its done on the server, I assume that i dont have to define his privilege level on the devices !
07-19-2007 07:37 AM
You need to add a vendor-specific attribute to the user profile: "shell:priv-lvl=1"
(substitute 1 to whatever level you want to grant the user)
But I have no clue how to do that, check the IAS docs.
If you are ok with the non-privileged mode (level 1) access you do not have to define anything on the devices, but if you want to grant access to commands above privilege level 1 you have to define a new privilege level and add some commands to it.
IOS only have level 1 and 15 pre configured.
07-23-2007 02:54 AM
The string you specified was the correct one.
On Windows IAS Server, I did it as follows:
1. Created a new Remote Access Polic
2. To it I added the relevant group
3. Selected: Grant remote access permission
4. Go to: Edit profile
5. Advanced Tab, add: Cisco-AV-Pair, with the value:
shell:priv-lvl=10
or whatever value is required
Then on the Cisco devices:
#aaa authorization exec default group
#username
#privilege exec level 10 show startup-config
This of course assumes you have the other AAA configuration in place.
It worked for me.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide