Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Set up different privileges on router

Hello,

We have a Cisco 1841 router that requires 2 levels of access, at the moment we have network admins logging in with a single username via SSH and with privilege 15 but we also need our helpdesk to login to run certain commands but not chaneg anything, is this possible?

I'm sure if I see an example then it will make soem sense.

Regards

4 REPLIES

Set up different privileges on router

There are two ways of doing this:

  1. with privilege levels, wich I find quite difficult configure and manage,
  2. with CLI views, which are much more flexible, and allow to to say which individual commands a particular user is allowed to use.

Here is a doc to get you started:

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_usr_cfg/configuration/12-4t/sec-role-base-cli.html

Kevin Dorrell

Luxembourg

Community Member

Re: Set up different privileges on router

Hi,

I've not heard of CLI views before.  I did have a go at configuring privileges lie below:

privilege configure level 3 interface

privilege exec level 3 show ip interface brief

privilege exec level 3 show ip interface

privilege exec level 3 show ip

privilege exec level 3 show running-config

privilege exec level 3 show

privilege exec level 3 exit

You can see the commands I want the helpdesk to use, is this something a view can do then?

PS I forgot to mention I'm trying to combine this with Windows radius too (Windows 2008)

Thanks

Set up different privileges on router

Yes, CLI views can do that more or less, but in a different way.  Rather than assigning a hierarchical set of privilege levels, where if you have level 3 you have 2 and 1 as well, you define a set of commands that the view profile is allowed. You then attach the username to the view. Each view profile sees only its own available commands; there is no automatic inheritence of commands from the lower levels.

Kevin Dorrell

Luxembourg

Community Member

Set up different privileges on router

This does sound good!

I have just been asked, can we have the usual admin priv 15 on an account, which I said yes and then I have been asked if this "custom" user can just do "show run" and "shut" and "no shut" on ports?

Thanks

242
Views
0
Helpful
4
Replies
CreatePlease to create content