12-24-2006 03:36 AM - edited 03-10-2019 02:53 PM
IS it possible to configure shell authorization when the privelege level is set to anything less than 15
What i am doing right now is configuring a level 15 access and restricting the commands through shell sets. When i try to assign any other privelege level it doesn't seem to work.
HTH
Narayan
Solved! Go to Solution.
12-27-2006 12:46 PM
Narayan,
Lets say you assign a privilege level of 10 to the user on the AAA server. The user will log on to the device at level 10 but "sh ip int br" and "sh int" are level 15 commands, hence he will not be able to use them.
So what we will need to do is reduce the privilege level of the "sh ip int br" and "sh int" commands on the device itself to level 10 using "privilege" command in the global configuration mode.
After doing this, only "sh ip int br" and "sh int" commands will be available at level 10 and not other privilege 15 commands.
Now further if you want Group a to execute only "sh ip int br" and Group b to execute only "sh int" then you can apply command authorization for level 10.
Hope this helps
12-26-2006 11:06 AM
hi
are you using auth-proxy or what ??
as i know for auth-proxy you cannot use another level under 15 the only allowed is
that only (permit) statement and (any) as the source, and for the level is 15
proxyacl#1=permit any
.
.
.
PRIVLVL=15 (under the argument area..)
HTH
Plese do rate if it does help
12-26-2006 03:26 PM
Narayan,
Even if you define a privilege level less then 15 on the device and apply command authorization on that level, you will need to reduce the privilege level of the commands which you need to execute on the lower privilege level.
After reducing the privilege level of selected commands on the device, applying command authorization will be a waste.
12-26-2006 11:54 PM
Vivek,
I am probably confused with your post.
What i want to achieve is something like this.
Say i want to restrict one group to just the following command
Sh ip int brief
sh int
ping
I dont want to assign a privilege level of 15 to this group and then restrict, what i want is to assign a privilege say 5 or 10 and then restrict
Can this be done
Narayan
12-27-2006 12:46 PM
Narayan,
Lets say you assign a privilege level of 10 to the user on the AAA server. The user will log on to the device at level 10 but "sh ip int br" and "sh int" are level 15 commands, hence he will not be able to use them.
So what we will need to do is reduce the privilege level of the "sh ip int br" and "sh int" commands on the device itself to level 10 using "privilege" command in the global configuration mode.
After doing this, only "sh ip int br" and "sh int" commands will be available at level 10 and not other privilege 15 commands.
Now further if you want Group a to execute only "sh ip int br" and Group b to execute only "sh int" then you can apply command authorization for level 10.
Hope this helps
12-27-2006 09:48 PM
Thanks Vivek,
It would be a burden to configure the commands on each devices(i have about 700).
I think its better to assign priv 15 and restrict.
BTW is there any document which can show the commands and their associated privilege levels?
Narayan
12-30-2006 06:30 AM
Narayan,
I am looking to do the same as you are. Please post if you have found a solution.
Thanks,
Harton
01-04-2007 07:52 AM
Narayan,
I could find any document but you can go to level one prompt of any IOS device and check the commands available. All the rest are level 15 commands.
01-05-2007 09:56 AM
Thanks Vivek for the answer.
Harton, i didn't find any easier way other than allowing a priv 15 access and restrict them with shell authorization.
HTH
Narayan
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide