Is there a way to provide a user with configuration access on a device, but restrict the specific commands that the user can issue?
In other words let them get into config t and turn up an interface and assign an IP address, exit out, and write the change to memory - but prevent them from issuing any other commands that would modify the device config.
I would like to do this through my AAA server if possible, but will do locally if that is my only option.
Re: Restricting / Allowing specific config commands
Sure, there's a couple of ways you can do this.
First way is to assign a specific privilege level to the user via the AAA server, then on the router assign certain commands to that privilege level (http://www.cisco.com/warp/public/480/PRIV.html). This means adding a lot of configuration commands to your routers though.
Other way is to set up command authorization, and then add all the commands that the users can do onto the AAA server itself. You have to use TACACS for this, as Radius doesn't have this capability. You'd add the following into your router config:
> aaa authorization commands 15 default group tacacs none
and if you want them to be able to change certain parts of the config, then also add:
> aaa authorization config-commands
Then on the AAA server (I'll assume ACS NT here), under the user profile (or put these users in a specific group and change the group profile), in the TACACS section you'll see a Command Authorization section. If you want them to be able to do certain "show" commands, for example, then check the "Command" box, put "show" in the text box, the in the Arguments box put things like:
permit ip route
then check the radio button to Deny Unlisted Arguments. If you hit Submit now and go back in, there'll be another box allowing you to enter anothr set of commands. Note that you need the word "permit" before all the command arguments just like I wrote above. Note also that it's easy to lock up your routerconfig doing this, but you should be able to plug into the console port and change the config back, cause command authorization is disabled on the console by default, unless you specify the hidden command:
> aaa authorization console
but this is hidden for a reason, it's dangerous to use it cause you then have no fall back.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :