Privilege levels on switch

Unanswered Question
Oct 28th, 2007
User Badges:

I am trying to lock down my switches for my junior network engineers and have run into a problem for my sites without Radius/Tacacs.


I would like to set a privilege level that only allows admins to configure interfaces, ip access list, and show commands.


With ACS I set the commands I allow per user, but with no ACS it seems I must enter lots of extra lines.


ie. (on a 3750 c3750-advipservicesk9-mz.122-25.SEE1.bin)


privilege configure level 5 interface

privilege exec level 5 configure


I would expect this to allow me as a level 5 user to go to config mode and then perform any interface command.


instead:


SwitchB-3750#sho priv

Current privilege level is 5

SwitchB-3750#config t

^

% Invalid input detected at '^' marker.


SwitchB-3750#config

Configuring from terminal, memory, or network [terminal]? t

Enter configuration commands, one per line. End with CNTL/Z.

SwitchB-3750(config)#interface fa1/0/1

SwitchB-3750(config-if)#?

Interface configuration commands:

default Set a command to its defaults

exit Exit from interface configuration mode

help Description of the interactive help system

no Negate a command or set its defaults


SwitchB-3750(config-if)#



If I then enter:


SwitchB-3750(config)#privilege interface level 5 i


I can then do anything with an "i"


SwitchB-3750(config-if)#?

Interface configuration commands:

default Set a command to its defaults

exit Exit from interface configuration mode

help Description of the interactive help system

ip Interface Internet Protocol config commands

no Negate a command or set its defaults


I want them to be able to do anything. Am I missing a critical part?


Thank you,


Brant Hale



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
branthale Tue, 10/30/2007 - 11:36
User Badges:

Ok, just to make sure I am 100%

If I wanted to give a user the ability to

(config)#interface fa1/0/1

(config-if)#switchport mode access


privilege interface level 5 switchport mode access

privilege configure level 5 interface

privilege exec level 5 configure



If I want to give them all the options then I need to do something like this:


privilege interface level 5 a

privilege interface level 5 b

privilege interface level 5 c

privilege interface level 5 d

privilege interface level 5 e

privilege interface level 5 f

privilege interface level 5 g


?


Are there no wildcards? I want to be able to do the following-


privilege interface level 5 *

or

privilege interface all level 5


No chance?


Thanks for the reply.


!

Actions

This Discussion