11-14-2009 10:10 AM - edited 03-10-2019 04:48 PM
Hello. I NDGs configured, there is a group called "GR1" with 30 switch.
This group is set up a Shell Command Authorization set called "Monitoring", in which only show commands, ping and traceroute are allowed.
I want to let users switch in only 10 of the group "GR 1" to configure certain interfaces and IP addresses, switch to the other not. ! Note: The number of interface is not the same for each switch, one can be FA0 / 1, but for others it may fa0/3.etc.
I want to retain these 10 switch within the group "GR1", it is possible to make this configuration?
- Thanks
Solved! Go to Solution.
11-23-2009 11:17 PM
I've edited my earlier post to make it more clear. You can assign Shell Auth. Sets at the user,group or NDG level.More details are mentioned on the following link:
AFAIR, one device (AAA Client) can be part of only one NDG, so you cannot achieve your requirement by using per-NDG Shell Command Authorization sets. Unless you break up the NDG into more than one NDG.
You can assign the authorization set at the user or group level (after putting the appropriate users in the group) to achive your requirement.
You could also use the 'privilege' command on the switch to make sure that users can see only the commands you want. E.g. when a user logs in he will be placed at level 7. Now you can keep the undesired commands at level 15 and bring down the desired commands at level 7. All other users would be assigned a lower level (e.g level 5), so they wont be able to run these commands.
Regards
Farrukh
11-23-2009 01:58 AM
Why don't you assign per user or group-level command authorization sets for the users managing the10 switch devices?
IF I understand your requirement correctly
Regards
Farrukh
Message was edited by: Farrukh Haroon
11-23-2009 07:41 PM
hi. apology could give me an example of what you say? not seem to make a shell command for each device when using NDG .. thanks ..
11-23-2009 11:17 PM
I've edited my earlier post to make it more clear. You can assign Shell Auth. Sets at the user,group or NDG level.More details are mentioned on the following link:
AFAIR, one device (AAA Client) can be part of only one NDG, so you cannot achieve your requirement by using per-NDG Shell Command Authorization sets. Unless you break up the NDG into more than one NDG.
You can assign the authorization set at the user or group level (after putting the appropriate users in the group) to achive your requirement.
You could also use the 'privilege' command on the switch to make sure that users can see only the commands you want. E.g. when a user logs in he will be placed at level 7. Now you can keep the undesired commands at level 15 and bring down the desired commands at level 7. All other users would be assigned a lower level (e.g level 5), so they wont be able to run these commands.
Regards
Farrukh
11-24-2009 08:25 PM
Thanks for responding, I will standardize the connections in the switches, the first 5 interfaces (Fa 0/0 - Fa0/4) the use to the core and the rest to customers. so I create a Shell Command where they can not change anything in the first interfaces.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: