Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

User Rights in Catalyst Switch

Hi All,

I need to create a user for a Catalyst 4500 Switch with restricted rights - let's say the ability to the VLAN_ID of the ports.

Is that possible? How?

Thanks in advance!

-Cristian Kutscherauer

6 REPLIES
Community Member

Re: User Rights in Catalyst Switch

Not sure if you are running catos or ios? The following link might help for IOS:

http://www.cisco.com/en/US/customer/products/hw/switches/ps4324/products_configuration_guide_chapter09186a008019d0ea.html#1021678

Not sure what is available for catos.

Community Member

Re: User Rights in Catalyst Switch

Christian:

With catos and a tacacs server: create a ciscosecure group and restrict the available command set with group settings. Then use the 'set authorization commands.." command on the switch. I've set this up to allow some admins to only use the 'show port' and 'set vlan xyz' commands.

If you need more details or snippets of config, post again and I'll send some along.

Regards,

Rich

Community Member

Re: User Rights in Catalyst Switch

Hi Rich,

First, thank you very much for your reply.

It happens that I'm the only one needing to access and configure the VLAN ports (yes, using the set vlan command and/or int f0/1; switch port trunk native vlan xyz) however the people who have access, they don't know how to configure it.

So it would be great if you could provide some sample configs.

Tks Again!

_CK

Community Member

Re: User Rights in Catalyst Switch

For the tacacs server, basically what I did was create a CiscoSecure group called Support. I edited the group settings to allow only the 'enable' command, and the 'set' command with 'permit vlan xxx' as permitted arguments. I then mapped this CiscoSecure group to a Win2k AD group which contained Support accounts. Then added this config to my Cat switches:

#tacacs+

set tacacs server 10.4.50.220 primary

set tacacs key xxxxx

!

#authentication

set authentication login tacacs enable telnet primary

!

#authorization

set authorization exec enable tacacs+ none telnet

set authorization commands enable config tacacs+ none console

set authorization commands enable config tacacs+ none telnet

Users in the Support group can now only run the commands configured on the CiscoSecure settings.

Rich

Community Member

Re: User Rights in Catalyst Switch

Hi Pete. It would be for both catos and ios - but having it fixed only for ios would be great too.

Unfortunately I don't have access to the link that you sent to me. Do you know if there is any public article?

Tks again!!!

_CK

Community Member

Re: User Rights in Catalyst Switch

Try this link:

http://www.cisco.com/en/US/products/hw/switches/ps4324/products_configuration_guide_chapter09186a008019d0ea.html#1021679

I have not tried to implement this; only ever read about it.

If you are using a RADIUS/TACACS server, would be worth testing Rich's example for both CATOS & IOS as it makes it easier to change access when required.

Peter

97
Views
0
Helpful
6
Replies
CreatePlease to create content