cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1041
Views
0
Helpful
4
Replies

Shell Command Authorization Sets for device using NDGs??

Kevin Morales
Level 1
Level 1

Hello. I NDGs configured, there is a group called "GR1" with 30 switch.

This group is set up a Shell Command Authorization set called "Monitoring", in which only show commands, ping and traceroute are allowed.

I want to let users switch in only 10 of the group "GR 1" to configure certain interfaces and IP addresses, switch to the other not. ! Note: The number of interface is not the same for each switch, one can be FA0 / 1, but for others it may fa0/3.etc.

I want to retain these 10 switch within the group "GR1", it is possible to make this configuration?

- Thanks

1 Accepted Solution

Accepted Solutions

I've edited my earlier post to make it more clear. You can assign Shell Auth. Sets at the user,group or NDG level.More details are mentioned on the following link:

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/SPC.html#wpmkr697610

AFAIR, one device (AAA Client) can be part of only one NDG, so you cannot achieve your requirement by using per-NDG Shell Command Authorization sets. Unless you break up the NDG into more than one NDG.

You can assign the authorization set at the user or group level (after putting the appropriate users in the group) to achive your requirement.

You could also use the 'privilege' command on the switch to make sure that users can see only the commands you want. E.g. when a user logs in he will be placed at level 7. Now you can keep the undesired commands at level 15 and bring down the desired commands at level 7. All other users would be assigned a lower level (e.g level 5), so they wont be able to run these commands.


Regards


Farrukh

View solution in original post

4 Replies 4

Farrukh Haroon
VIP Alumni
VIP Alumni

Why don't you assign per user or group-level command authorization sets for the users managing the10 switch devices?

IF I understand your requirement correctly

Regards

Farrukh

Message was edited by: Farrukh Haroon

Kevin Morales
Level 1
Level 1

hi. apology could give me an example of what you say? not seem to make a shell command for each device when using NDG .. thanks ..

I've edited my earlier post to make it more clear. You can assign Shell Auth. Sets at the user,group or NDG level.More details are mentioned on the following link:

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/SPC.html#wpmkr697610

AFAIR, one device (AAA Client) can be part of only one NDG, so you cannot achieve your requirement by using per-NDG Shell Command Authorization sets. Unless you break up the NDG into more than one NDG.

You can assign the authorization set at the user or group level (after putting the appropriate users in the group) to achive your requirement.

You could also use the 'privilege' command on the switch to make sure that users can see only the commands you want. E.g. when a user logs in he will be placed at level 7. Now you can keep the undesired commands at level 15 and bring down the desired commands at level 7. All other users would be assigned a lower level (e.g level 5), so they wont be able to run these commands.


Regards


Farrukh

Thanks for responding, I will standardize the connections in the switches, the first 5 interfaces (Fa 0/0 - Fa0/4) the use to the core and the rest to customers. so I create a Shell Command where they can not change anything in the first interfaces.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: