12-17-2002 01:45 PM - edited 03-10-2019 07:04 AM
Is there a way to provide a user with configuration access on a device, but restrict the specific commands that the user can issue?
In other words let them get into config t and turn up an interface and assign an IP address, exit out, and write the change to memory - but prevent them from issuing any other commands that would modify the device config.
I would like to do this through my AAA server if possible, but will do locally if that is my only option.
12-17-2002 02:11 PM
Sure, there's a couple of ways you can do this.
First way is to assign a specific privilege level to the user via the AAA server, then on the router assign certain commands to that privilege level (http://www.cisco.com/warp/public/480/PRIV.html). This means adding a lot of configuration commands to your routers though.
Other way is to set up command authorization, and then add all the commands that the users can do onto the AAA server itself. You have to use TACACS for this, as Radius doesn't have this capability. You'd add the following into your router config:
> aaa authorization commands 15 default group tacacs none
and if you want them to be able to change certain parts of the config, then also add:
> aaa authorization config-commands
Then on the AAA server (I'll assume ACS NT here), under the user profile (or put these users in a specific group and change the group profile), in the TACACS section you'll see a Command Authorization section. If you want them to be able to do certain "show" commands, for example, then check the "Command" box, put "show" in the text box, the in the Arguments box put things like:
permit ip route
permit version
permit running-config
permit clock
then check the radio button to Deny Unlisted Arguments. If you hit Submit now and go back in, there'll be another box allowing you to enter anothr set of commands. Note that you need the word "permit" before all the command arguments just like I wrote above. Note also that it's easy to lock up your routerconfig doing this, but you should be able to plug into the console port and change the config back, cause command authorization is disabled on the console by default, unless you specify the hidden command:
> aaa authorization console
but this is hidden for a reason, it's dangerous to use it cause you then have no fall back.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide