Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
395
Views
0
Helpful
6
Replies

User Rights in Catalyst Switch

kutscher
Level 1
Level 1

‎09-25-2003 05:22 AM - edited ‎03-02-2019 10:35 AM

Hi All,

I need to create a user for a Catalyst 4500 Switch with restricted rights - let's say the ability to the VLAN_ID of the ports.

Is that possible? How?

Thanks in advance!

-Cristian Kutscherauer

Labels:
0 Helpful
6 Replies 6

peterbe
Level 1
Level 1

‎09-28-2003 06:38 PM

Not sure if you are running catos or ios? The following link might help for IOS:

http://www.cisco.com/en/US/customer/products/hw/switches/ps4324/products_configuration_guide_chapter09186a008019d0ea.html#1021678

Not sure what is available for catos.

0 Helpful

r.crist
Level 1
Level 1
In response to peterbe

‎09-29-2003 06:02 AM

Christian:

With catos and a tacacs server: create a ciscosecure group and restrict the available command set with group settings. Then use the 'set authorization commands.." command on the switch. I've set this up to allow some admins to only use the 'show port' and 'set vlan xyz' commands.

If you need more details or snippets of config, post again and I'll send some along.

Regards,

Rich

0 Helpful

kutscher
Level 1
Level 1
In response to r.crist

‎09-29-2003 09:12 AM

Hi Rich,

First, thank you very much for your reply.

It happens that I'm the only one needing to access and configure the VLAN ports (yes, using the set vlan command and/or int f0/1; switch port trunk native vlan xyz) however the people who have access, they don't know how to configure it.

So it would be great if you could provide some sample configs.

Tks Again!

_CK

0 Helpful

r.crist
Level 1
Level 1
In response to kutscher

‎09-29-2003 12:03 PM

For the tacacs server, basically what I did was create a CiscoSecure group called Support. I edited the group settings to allow only the 'enable' command, and the 'set' command with 'permit vlan xxx' as permitted arguments. I then mapped this CiscoSecure group to a Win2k AD group which contained Support accounts. Then added this config to my Cat switches:

#tacacs+

set tacacs server 10.4.50.220 primary

set tacacs key xxxxx

!

#authentication

set authentication login tacacs enable telnet primary

!

#authorization

set authorization exec enable tacacs+ none telnet

set authorization commands enable config tacacs+ none console

set authorization commands enable config tacacs+ none telnet

Users in the Support group can now only run the commands configured on the CiscoSecure settings.

Rich

0 Helpful

kutscher
Level 1
Level 1
In response to peterbe

‎09-29-2003 09:30 AM

Hi Pete. It would be for both catos and ios - but having it fixed only for ios would be great too.

Unfortunately I don't have access to the link that you sent to me. Do you know if there is any public article?

Tks again!!!

_CK

0 Helpful

peterbe
Level 1
Level 1
In response to kutscher

‎09-29-2003 06:25 PM

Try this link:

http://www.cisco.com/en/US/products/hw/switches/ps4324/products_configuration_guide_chapter09186a008019d0ea.html#1021679

I have not tried to implement this; only ever read about it.

If you are using a RADIUS/TACACS server, would be worth testing Rich's example for both CATOS & IOS as it makes it easier to change access when required.

Peter

0 Helpful
Customers Also Viewed These Support Documents