03-08-2012 05:57 AM - edited 03-07-2019 05:26 AM
Hello,
We have a Cisco 1841 router that requires 2 levels of access, at the moment we have network admins logging in with a single username via SSH and with privilege 15 but we also need our helpdesk to login to run certain commands but not chaneg anything, is this possible?
I'm sure if I see an example then it will make soem sense.
Regards
03-08-2012 06:15 AM
There are two ways of doing this:
Here is a doc to get you started:
http://www.cisco.com/en/US/docs/ios-xml/ios/sec_usr_cfg/configuration/12-4t/sec-role-base-cli.html
Kevin Dorrell
Luxembourg
03-08-2012 06:46 AM
Hi,
I've not heard of CLI views before. I did have a go at configuring privileges lie below:
privilege configure level 3 interface
privilege exec level 3 show ip interface brief
privilege exec level 3 show ip interface
privilege exec level 3 show ip
privilege exec level 3 show running-config
privilege exec level 3 show
privilege exec level 3 exit
You can see the commands I want the helpdesk to use, is this something a view can do then?
PS I forgot to mention I'm trying to combine this with Windows radius too (Windows 2008)
Thanks
03-08-2012 07:15 AM
Yes, CLI views can do that more or less, but in a different way. Rather than assigning a hierarchical set of privilege levels, where if you have level 3 you have 2 and 1 as well, you define a set of commands that the view profile is allowed. You then attach the username to the view. Each view profile sees only its own available commands; there is no automatic inheritence of commands from the lower levels.
Kevin Dorrell
Luxembourg
03-08-2012 07:50 AM
This does sound good!
I have just been asked, can we have the usual admin priv 15 on an account, which I said yes and then I have been asked if this "custom" user can just do "show run" and "shut" and "no shut" on ports?
Thanks
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: