×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Set up different privileges on router

Unanswered Question
Mar 8th, 2012
User Badges:

Hello,


We have a Cisco 1841 router that requires 2 levels of access, at the moment we have network admins logging in with a single username via SSH and with privilege 15 but we also need our helpdesk to login to run certain commands but not chaneg anything, is this possible?


I'm sure if I see an example then it will make soem sense.


Regards

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Kevin Dorrell Thu, 03/08/2012 - 06:15
User Badges:
  • Green, 3000 points or more

There are two ways of doing this:


  1. with privilege levels, wich I find quite difficult configure and manage,
  2. with CLI views, which are much more flexible, and allow to to say which individual commands a particular user is allowed to use.


Here is a doc to get you started:


http://www.cisco.com/en/US/docs/ios-xml/ios/sec_usr_cfg/configuration/12-4t/sec-role-base-cli.html


Kevin Dorrell

Luxembourg



Andy White Thu, 03/08/2012 - 06:46
User Badges:

Hi,


I've not heard of CLI views before.  I did have a go at configuring privileges lie below:


privilege configure level 3 interface

privilege exec level 3 show ip interface brief

privilege exec level 3 show ip interface

privilege exec level 3 show ip

privilege exec level 3 show running-config

privilege exec level 3 show

privilege exec level 3 exit


You can see the commands I want the helpdesk to use, is this something a view can do then?


PS I forgot to mention I'm trying to combine this with Windows radius too (Windows 2008)


Thanks

Kevin Dorrell Thu, 03/08/2012 - 07:15
User Badges:
  • Green, 3000 points or more

Yes, CLI views can do that more or less, but in a different way.  Rather than assigning a hierarchical set of privilege levels, where if you have level 3 you have 2 and 1 as well, you define a set of commands that the view profile is allowed. You then attach the username to the view. Each view profile sees only its own available commands; there is no automatic inheritence of commands from the lower levels.


Kevin Dorrell

Luxembourg

Andy White Thu, 03/08/2012 - 07:50
User Badges:

This does sound good!


I have just been asked, can we have the usual admin priv 15 on an account, which I said yes and then I have been asked if this "custom" user can just do "show run" and "shut" and "no shut" on ports?


Thanks

Actions

This Discussion