Shell Command Authorization Sets for device using NDGs??

Answered Question
Nov 14th, 2009

Hello. I NDGs configured, there is a group called "GR1" with 30 switch.

This group is set up a Shell Command Authorization set called "Monitoring", in which only show commands, ping and traceroute are allowed.

I want to let users switch in only 10 of the group "GR 1" to configure certain interfaces and IP addresses, switch to the other not. ! Note: The number of interface is not the same for each switch, one can be FA0 / 1, but for others it may fa0/3.etc.

I want to retain these 10 switch within the group "GR1", it is possible to make this configuration?

- Thanks

Correct Answer by Farrukh Haroon about 7 years 2 months ago

I've edited my earlier post to make it more clear. You can assign Shell Auth. Sets at the user,group or NDG level.More details are mentioned on the following link:

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/SPC.html#wpmkr697610

AFAIR, one device (AAA Client) can be part of only one NDG, so you cannot achieve your requirement by using per-NDG Shell Command Authorization sets. Unless you break up the NDG into more than one NDG.

You can assign the authorization set at the user or group level (after putting the appropriate users in the group) to achive your requirement.

You could also use the 'privilege' command on the switch to make sure that users can see only the commands you want. E.g. when a user logs in he will be placed at level 7. Now you can keep the undesired commands at level 15 and bring down the desired commands at level 7. All other users would be assigned a lower level (e.g level 5), so they wont be able to run these commands.


Regards


Farrukh

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Kevin Morales Mon, 11/23/2009 - 19:41

hi. apology could give me an example of what you say? not seem to make a shell command for each device when using NDG .. thanks ..

Correct Answer
Farrukh Haroon Mon, 11/23/2009 - 23:17

I've edited my earlier post to make it more clear. You can assign Shell Auth. Sets at the user,group or NDG level.More details are mentioned on the following link:

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/SPC.html#wpmkr697610

AFAIR, one device (AAA Client) can be part of only one NDG, so you cannot achieve your requirement by using per-NDG Shell Command Authorization sets. Unless you break up the NDG into more than one NDG.

You can assign the authorization set at the user or group level (after putting the appropriate users in the group) to achive your requirement.

You could also use the 'privilege' command on the switch to make sure that users can see only the commands you want. E.g. when a user logs in he will be placed at level 7. Now you can keep the undesired commands at level 15 and bring down the desired commands at level 7. All other users would be assigned a lower level (e.g level 5), so they wont be able to run these commands.


Regards


Farrukh

Kevin Morales Tue, 11/24/2009 - 20:25

Thanks for responding, I will standardize the connections in the switches, the first 5 interfaces (Fa 0/0 - Fa0/4) the use to the core and the rest to customers. so I create a Shell Command where they can not change anything in the first interfaces.

Farrukh Haroon Mon, 11/23/2009 - 01:58

Why don't you assign per user or group-level command authorization sets for the users managing the10 switch devices?

IF I understand your requirement correctly

Regards

Farrukh

Message was edited by: Farrukh Haroon

Actions

This Discussion