Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1650
Views
0
Helpful
2
Replies

Privilege levels on switch

branthale
Level 1
Level 1

‎10-28-2007 06:25 PM - edited ‎03-10-2019 03:29 PM

I am trying to lock down my switches for my junior network engineers and have run into a problem for my sites without Radius/Tacacs.

I would like to set a privilege level that only allows admins to configure interfaces, ip access list, and show commands.

With ACS I set the commands I allow per user, but with no ACS it seems I must enter lots of extra lines.

ie. (on a 3750 c3750-advipservicesk9-mz.122-25.SEE1.bin)

privilege configure level 5 interface

privilege exec level 5 configure

I would expect this to allow me as a level 5 user to go to config mode and then perform any interface command.

instead:

SwitchB-3750#sho priv

Current privilege level is 5

SwitchB-3750#config t

^

% Invalid input detected at '^' marker.

SwitchB-3750#config

Configuring from terminal, memory, or network [terminal]? t

Enter configuration commands, one per line. End with CNTL/Z.

SwitchB-3750(config)#interface fa1/0/1

SwitchB-3750(config-if)#?

Interface configuration commands:

default Set a command to its defaults

exit Exit from interface configuration mode

help Description of the interactive help system

no Negate a command or set its defaults

SwitchB-3750(config-if)#

If I then enter:

SwitchB-3750(config)#privilege interface level 5 i

I can then do anything with an "i"

SwitchB-3750(config-if)#?

Interface configuration commands:

default Set a command to its defaults

exit Exit from interface configuration mode

help Description of the interactive help system

ip Interface Internet Protocol config commands

no Negate a command or set its defaults

I want them to be able to do anything. Am I missing a critical part?

Thank you,

Brant Hale

Labels:
0 Helpful
2 Replies 2

Jagdeep Gambhir
Level 10
Level 10

‎10-30-2007 08:26 AM

Hi Brant,

In this case you need to define priv lvl for all config t commands to level 5 or below.

So the user at level 5 would ONLY be able to execute config t commands with priv 5 or below

http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a00800949d5.shtml

Regards,

~JG

Do rate helpful posts

0 Helpful

branthale
Level 1
Level 1
In response to Jagdeep Gambhir

‎10-30-2007 11:36 AM

Ok, just to make sure I am 100%

If I wanted to give a user the ability to

(config)#interface fa1/0/1

(config-if)#switchport mode access

privilege interface level 5 switchport mode access

privilege configure level 5 interface

privilege exec level 5 configure

If I want to give them all the options then I need to do something like this:

privilege interface level 5 a

privilege interface level 5 b

privilege interface level 5 c

privilege interface level 5 d

privilege interface level 5 e

privilege interface level 5 f

privilege interface level 5 g

?

Are there no wildcards? I want to be able to do the following-

privilege interface level 5 *

or

privilege interface all level 5

No chance?

Thanks for the reply.

!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents