limited priv on router/switch

Unanswered Question
Jul 19th, 2010

Hello

How do I allow  a user with limited command privilege on a router and switch

user once ssh to the router or switch can run these command on the router.

show cdp neigh

show ip interface brief

ping

user will be created locally  on the switch or router

==== I tested this but doesnt work ===============

aaa authentication login default local
aaa authorization exec default local

username admin priv 15 password abcd

username  helpdesk priv 0 password helpdesk

priv exec level 0 ping
priv exec level 0 sh interface
priv exec level 0 show cdp neigh
priv exec level 15 clear line

line vty 0 4
priv level 15
tranport input telnet ssh

=========================================

thanks

ST

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Chetan Kumar Ress Mon, 07/19/2010 - 13:35

Hi Saquib

You should not user privi 15 user line vty.  Without configuring AAA you can use below command to achive what you want.

priv exec level 0 ping
priv exec level 0 sh interface
priv exec level 0 show cdp neigh
priv exec level 15 clear line  ---- no need to config this command , Priv 15 is having  all access

line vty 0 4
login local

tranport input telnet ssh

Regards

Chetan Kumar

Ganesh Hariharan Mon, 07/19/2010 - 22:52

Hello

How do I allow  a user with limited command privilege on a router and switch

user once ssh to the router or switch can run these command on the router.

show cdp neigh

show ip interface brief

ping

user will be created locally  on the switch or router

==== I tested this but doesnt work ===============

aaa authentication login default local
aaa authorization exec default local

username admin priv 15 password abcd

username  helpdesk priv 0 password helpdesk

priv exec level 0 ping
priv exec level 0 sh interface
priv exec level 0 show cdp neigh
priv exec level 15 clear line

line vty 0 4
priv level 15
tranport input telnet ssh

=========================================

thanks

ST

Hi ST,

In order to create local data base you can use the command to create a user database

username admin priv 15 password cisco

username bob priv 7 password cisco

Following username will be assign with privillage 15 and 7 respectively,Once these users are created, you need to enable the login on the lines  to use the local database instead of just the line password, or no  password at all.

To tell each line to use these new user logins, you must go to each line  and perform the login local command.

and in order to restrict some privillage level to use the command check out the below link for ios privillage level command in cisco

http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a00800949d5.shtml

Hope to Help !!

Ganesh.H

Remember to rate the helpful post

Actions

This Discussion