Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Restricting access to specific Catalyst commands

Is it possible to restrict access to certain commands on a per user basis using Tacacs+ for AAA? Basically we would like to permit local support staff to move ports between existing VLAN's without letting them use any other commands. I have read about restricting commands at different levels but this appeared to give them access to all 'set' commands which would not be desirable.

Any information would be much appreciated. Thanks.

3 REPLIES
New Member

Re: Restricting access to specific Catalyst commands

I don’t think your restrictions can be that granular. You might run it by Cisco. Does anyone else out there have any ideas?

New Member

Re: Restricting access to specific Catalyst commands

I have not implemented the same restrictions on our catalyst switches like I have with our routers. But with TACACS+ and routers it is very granular. For Instance I can permit a user access to do a show run but deny everything else. If you tried to permit a user to do this with local priviledge levels you would end up giving them everything.

New Member

Re: Restricting access to specific Catalyst commands

I know for sure, that if your using ACS in Unix you can specify by the attribute: "cmd" what a user can do. If u aply the attribute cmd in a users profile the default for him/her would be telnet. But before u do that u need to specify the prvl level for the user. You can set a user to prvl 1 and let him do, show ver, copy runing-config to tftp and so on. I think that all this options are available in Tacacs+ on a W2K but I can't tell for sure.

That's all. Hope this will help u.

Kostas

112
Views
0
Helpful
3
Replies