Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

AAA IOS HTTS Cmd Authorization

On my ACS SE 4.2 setup I have CMD Authorization set up and it works nice, Service Desk type cmds: show, clear, telnet, traceroute, exit and then another group with full access (all cmds permitted). both user groups have Priv. Levels = 15.

However, (there is always one) with SDM access via HTTPS it appears that all you need is Priv. Level 15 to run SDM and make any configuration changes.

With my current setup, a user in the NetDevOper group when Telnet'ed or SSH'ed has access to a few commands, i.e. clear crypto sessions.

If I change this group from Priv Level 15 to, say 14, then I will have to 'Demote' the Clear command to Priv Level 14 on each device so this group can do simple clear commands.

My other choice is to disable HTTP access altogether, which is what I am leaning towards.

Is there another option available?

2 REPLIES

Re: AAA IOS HTTS Cmd Authorization

Charlie,

In order to access SDM, we would always need privilege level 15.

Regards,

~JG

New Member

Re: AAA IOS HTTS Cmd Authorization

Hi JG,

Thanks for your reply.

Do you know if there is a way to limit user access via HTTP(S) (SDM) so my Service Desk can use it, but cannot make configuration changes?

It appears to me that the IOS code for HTTP(S) (SDM) access is only checking to see if the user has Priv Level=15 and there is no other varibles being check.

If true, I will just disable HTTP(S) SDM access to the routers.

Thanks

Charlie

117
Views
0
Helpful
2
Replies
CreatePlease login to create content