AAA IOS HTTS Cmd Authorization

Unanswered Question
Jun 20th, 2008
User Badges:

On my ACS SE 4.2 setup I have CMD Authorization set up and it works nice, Service Desk type cmds: show, clear, telnet, traceroute, exit and then another group with full access (all cmds permitted). both user groups have Priv. Levels = 15.

However, (there is always one) with SDM access via HTTPS it appears that all you need is Priv. Level 15 to run SDM and make any configuration changes.

With my current setup, a user in the NetDevOper group when Telnet'ed or SSH'ed has access to a few commands, i.e. clear crypto sessions.

If I change this group from Priv Level 15 to, say 14, then I will have to 'Demote' the Clear command to Priv Level 14 on each device so this group can do simple clear commands.

My other choice is to disable HTTP access altogether, which is what I am leaning towards.

Is there another option available?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jagdeep Gambhir Sat, 06/21/2008 - 20:01
User Badges:
  • Red, 2250 points or more


In order to access SDM, we would always need privilege level 15.



charlie-hall Mon, 06/23/2008 - 07:57
User Badges:

Hi JG,

Thanks for your reply.

Do you know if there is a way to limit user access via HTTP(S) (SDM) so my Service Desk can use it, but cannot make configuration changes?

It appears to me that the IOS code for HTTP(S) (SDM) access is only checking to see if the user has Priv Level=15 and there is no other varibles being check.

If true, I will just disable HTTP(S) SDM access to the routers.




This Discussion