Privilege levels

Unanswered Question
Sep 17th, 2013
User Badges:

In order to authorize level 7 users to execute  the command clear line tty on a Cisco Router, I configured the following:


Router(config)# privilege exec level 7 clear line tty


but now the “clear line” is enabled with ALL the sub-options. Is it possible to filter and allow only one sub-option (i.e. tty)?


Thanks in advance,


Davide

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
John Blakley Tue, 09/17/2013 - 05:19
User Badges:
  • Purple, 4500 points or more

You could put all of your sub options under a higher privilege level...


privilege exec level 8 clear line aux

privilege exec level 8 clear line cons

privilege exec level 8 clear line vty

etc...



HTH,
John

*** Please rate all useful posts ***

davide.fichera Tue, 09/17/2013 - 05:31
User Badges:

Hi John,


I've tried the following sequence:


privilege exec level 8 clear line aux

privilege exec level 8 clear line cons

privilege exec level 8 clear line vty

privilege exec level 7 clear line tty

but the “clear line” is still enabled with ALL the sub-options.


I've also tried the reverse sequence:


privilege exec level 7 clear line tty

privilege exec level 8 clear line aux

privilege exec level 8 clear line cons

privilege exec level 8 clear line vty

but now "clear" is no more enabled for level 7,


Davide

John Blakley Tue, 09/17/2013 - 05:52
User Badges:
  • Purple, 4500 points or more

Davide,


This is interesting. From what I'm seeing, it's only taking effect on the "clear line" and not any of the sub-options. In fact, when you change the privilege level it changes the level for the main clear. I also tried this using views, and it's the same result. It looks like giving permissions to clear line gives permissions to everything under it. Below is the result from trying to configure it with a view:


R5(config-view)#do sh run | s parser

parser view Line

secret 5 $1$uqx0$YN3MOzb0yzwrRAlKs9RYU/

commands exec include clear line

commands exec include clear


R5(config-view)#commands exec exclude ?

  LINE  Keywords of the command

  all   wild card support


R5(config-view)#commands exec exclude clear line console

% Command present in 'include' mode


As you can see, I was trying to exclude clearing the console line, but it shows that it's included in the view already, but above it shows that it's only including the parent.


Maybe someone else has ran into this, but it doesn't look like it's a doable option.


Below is the change that's being made when trying to specify the sub-option. It changes the whole class:


R5(config)#do sh run | i privil

username test privilege 7 view Line password 0 test

privilege exec level 8 clear sampler

privilege exec level 7 clear line

privilege exec level 7 clear


R5(config)#privilege exec level 8 clear line console

R5(config)#do sh run | i privil

privilege exec level 8 clear sampler

privilege exec level 8 clear line

privilege exec level 8 clear



HTH,
John

*** Please rate all useful posts ***

davide.fichera Tue, 09/17/2013 - 06:05
User Badges:

Hi John, thanks a lot for your effort in trying to solve the question...


We're waiting for further help...


Davide

Joseph W. Doherty Tue, 09/17/2013 - 07:13
User Badges:
  • Super Bronze, 10000 points or more

Disclaimer


The   Author of this posting offers the information contained within this   posting without consideration and with the reader's understanding that   there's no implied or expressed suitability or fitness for any purpose.   Information provided is for informational purposes only and should not   be construed as rendering professional advice of any kind. Usage of  this  posting's information is solely at reader's own risk.


Liability Disclaimer


In   no event shall Author be liable for any damages whatsoever (including,   without limitation, damages for loss of use, data or profit) arising  out  of the use or inability to use the posting's information even if  Author  has been advised of the possibility of such damage.


Posting


An alternative approach would be to consider AAA with TACACS for granular command control.

davide.fichera Wed, 09/18/2013 - 06:32
User Badges:

Hi Joseph, thanks for your suggestion.Unfotunately we have a RADIUS server in our infrastructure, so we have to set this permission locally on network device.


Davide

Actions

This Discussion