02-18-2003 11:24 AM - edited 03-10-2019 07:09 AM
I want to be able to restrict users to certain commands on my Access Layer switches. I can do all but the "set vlan" command set. I need to be able to allow these users to 'set vlan <vlan number> <mod/slot>" but not do any other set vlan commands. For example, in my ACS config I have 'deny vlan mtu'. However, if the user were to type 'set vlan 1 mtu' it would be allowed. Is there a way in CS-ACS v2.6 W2k to handle this situation?
02-20-2003 08:25 PM
Hmmm, interesting. I think you'd have to add each vlan number in as part of the command, so do something like:
deny vlan 1 mtu
deny vlan 2 mtu
.......
and so on. Bit of a pain if you have hundreds of VLAN's. I can't see any other way around this though, since the vlan number is sent as part of the command to the ACS server, just like the word "mtu" is part of the command.
02-21-2003 06:40 AM
Not what I wanted to hear, but what I suspected to be the case. I will get my account team to file some PERS on this as this is an obvious hole in command authorization that needs to be filled.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide