06-13-2006 07:24 AM
I want to backup the vlan.dat file from switches without using the Enable password 15. With TFTP, it doesn't work. Using a script with cisco-flash mibs it's OK but not included in Ciscoworks. Another way would be using SNMPV3 but not successful. Also, using ACS and a user with level 3 priviledges allows to launch some commands but we get an error message. So any idea?
06-13-2006 09:33 PM
LMS 2.5 will do an "enable 15" and fail if the privilege level is not 15. Earlier versions of LMS did not use the "15" modifier. While you might not like LMS logging in with enable 15 access, you could use ACS plus command authorization, and limit which commands your LMS user can actually run. That is, assume you have a user lmsuser. This user can login to the device, and will automatically get level 15 access, but this user will only be able to run certain commands. In particular, it needs to be able to run "term length 0", "show privilege", and "copy flash:vlan.dat tftp:".
06-14-2006 11:20 AM
Thanks for your quick answer.
I don't use authorization of tacacs commands because it keeps a configuration that depends on ACS.
In fact I use Radius authorization with "aaa authorization exec default ...." That allows to use the priv-lvl=3
So I would prefer SNMPV3 mechanism. My question is: is it possible that way?
Regards
guy
06-14-2006 12:12 PM
Not with RME. RME must be able to use an interactive login to copy the vlan.dat to a TFTP server.
06-14-2006 09:19 PM
AFAIK if more security is required, it can also be done with ssh and scp, but using an interactive login on the machine.
Cheers,
Michel
06-14-2006 09:42 PM
If you mean via RME, yes you can use SSH as the interactive login protocol, but the copy operation always happens over TFTP (i.e. copy flash:vlan.dat tftp:). The only daemon we know will be available on the server on both Windows and Solaris for configuration purposes is tftp (software upgrades can assume an rcp daemon running on the server).
06-14-2006 09:58 PM
Thanks. To be more precise, the Cisco equipments will be outsourced but these people will not have to know the enable password level 15, it's why I was about determining that SNMPV3 could be the best solution
guy
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: