Privilege levels on switch

Unanswered Question
Oct 28th, 2007

I am trying to lock down my switches for my junior network engineers and have run into a problem for my sites without Radius/Tacacs.

I would like to set a privilege level that only allows admins to configure interfaces, ip access list, and show commands.

With ACS I set the commands I allow per user, but with no ACS it seems I must enter lots of extra lines.

ie. (on a 3750 c3750-advipservicesk9-mz.122-25.SEE1.bin)

privilege configure level 5 interface

privilege exec level 5 configure

I would expect this to allow me as a level 5 user to go to config mode and then perform any interface command.

instead:

SwitchB-3750#sho priv

Current privilege level is 5

SwitchB-3750#config t

^

% Invalid input detected at '^' marker.

SwitchB-3750#config

Configuring from terminal, memory, or network [terminal]? t

Enter configuration commands, one per line. End with CNTL/Z.

SwitchB-3750(config)#interface fa1/0/1

SwitchB-3750(config-if)#?

Interface configuration commands:

default Set a command to its defaults

exit Exit from interface configuration mode

help Description of the interactive help system

no Negate a command or set its defaults

SwitchB-3750(config-if)#

If I then enter:

SwitchB-3750(config)#privilege interface level 5 i

I can then do anything with an "i"

SwitchB-3750(config-if)#?

Interface configuration commands:

default Set a command to its defaults

exit Exit from interface configuration mode

help Description of the interactive help system

ip Interface Internet Protocol config commands

no Negate a command or set its defaults

I want them to be able to do anything. Am I missing a critical part?

Thank you,

Brant Hale

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
branthale Tue, 10/30/2007 - 11:36

Ok, just to make sure I am 100%

If I wanted to give a user the ability to

(config)#interface fa1/0/1

(config-if)#switchport mode access

privilege interface level 5 switchport mode access

privilege configure level 5 interface

privilege exec level 5 configure

If I want to give them all the options then I need to do something like this:

privilege interface level 5 a

privilege interface level 5 b

privilege interface level 5 c

privilege interface level 5 d

privilege interface level 5 e

privilege interface level 5 f

privilege interface level 5 g

?

Are there no wildcards? I want to be able to do the following-

privilege interface level 5 *

or

privilege interface all level 5

No chance?

Thanks for the reply.

!

Actions

This Discussion