10-28-2007 06:25 PM - edited 03-10-2019 03:29 PM
I am trying to lock down my switches for my junior network engineers and have run into a problem for my sites without Radius/Tacacs.
I would like to set a privilege level that only allows admins to configure interfaces, ip access list, and show commands.
With ACS I set the commands I allow per user, but with no ACS it seems I must enter lots of extra lines.
ie. (on a 3750 c3750-advipservicesk9-mz.122-25.SEE1.bin)
privilege configure level 5 interface
privilege exec level 5 configure
I would expect this to allow me as a level 5 user to go to config mode and then perform any interface command.
instead:
SwitchB-3750#sho priv
Current privilege level is 5
SwitchB-3750#config t
^
% Invalid input detected at '^' marker.
SwitchB-3750#config
Configuring from terminal, memory, or network [terminal]? t
Enter configuration commands, one per line. End with CNTL/Z.
SwitchB-3750(config)#interface fa1/0/1
SwitchB-3750(config-if)#?
Interface configuration commands:
default Set a command to its defaults
exit Exit from interface configuration mode
help Description of the interactive help system
no Negate a command or set its defaults
SwitchB-3750(config-if)#
If I then enter:
SwitchB-3750(config)#privilege interface level 5 i
I can then do anything with an "i"
SwitchB-3750(config-if)#?
Interface configuration commands:
default Set a command to its defaults
exit Exit from interface configuration mode
help Description of the interactive help system
ip Interface Internet Protocol config commands
no Negate a command or set its defaults
I want them to be able to do anything. Am I missing a critical part?
Thank you,
Brant Hale
10-30-2007 08:26 AM
Hi Brant,
In this case you need to define priv lvl for all config t commands to level 5 or below.
So the user at level 5 would ONLY be able to execute config t commands with priv 5 or below
http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a00800949d5.shtml
Regards,
~JG
Do rate helpful posts
10-30-2007 11:36 AM
Ok, just to make sure I am 100%
If I wanted to give a user the ability to
(config)#interface fa1/0/1
(config-if)#switchport mode access
privilege interface level 5 switchport mode access
privilege configure level 5 interface
privilege exec level 5 configure
If I want to give them all the options then I need to do something like this:
privilege interface level 5 a
privilege interface level 5 b
privilege interface level 5 c
privilege interface level 5 d
privilege interface level 5 e
privilege interface level 5 f
privilege interface level 5 g
?
Are there no wildcards? I want to be able to do the following-
privilege interface level 5 *
or
privilege interface all level 5
No chance?
Thanks for the reply.
!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: