Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Privilege levels

In order to authorize level 7 users to execute  the command clear line tty on a Cisco Router, I configured the following:

Router(config)# privilege exec level 7 clear line tty

but now the “clear line” is enabled with ALL the sub-options. Is it possible to filter and allow only one sub-option (i.e. tty)?

Thanks in advance,

Davide

6 REPLIES

Re: Privilege levels

You could put all of your sub options under a higher privilege level...

privilege exec level 8 clear line aux

privilege exec level 8 clear line cons

privilege exec level 8 clear line vty

etc...

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***
Community Member

Privilege levels

Hi John,

I've tried the following sequence:

privilege exec level 8 clear line aux

privilege exec level 8 clear line cons

privilege exec level 8 clear line vty

privilege exec level 7 clear line tty

but the “clear line” is still enabled with ALL the sub-options.

I've also tried the reverse sequence:

privilege exec level 7 clear line tty

privilege exec level 8 clear line aux

privilege exec level 8 clear line cons

privilege exec level 8 clear line vty

but now "clear" is no more enabled for level 7,

Davide

Privilege levels

Davide,

This is interesting. From what I'm seeing, it's only taking effect on the "clear line" and not any of the sub-options. In fact, when you change the privilege level it changes the level for the main clear. I also tried this using views, and it's the same result. It looks like giving permissions to clear line gives permissions to everything under it. Below is the result from trying to configure it with a view:

R5(config-view)#do sh run | s parser

parser view Line

secret 5 $1$uqx0$YN3MOzb0yzwrRAlKs9RYU/

commands exec include clear line

commands exec include clear

R5(config-view)#commands exec exclude ?

  LINE  Keywords of the command

  all   wild card support

R5(config-view)#commands exec exclude clear line console

% Command present in 'include' mode

As you can see, I was trying to exclude clearing the console line, but it shows that it's included in the view already, but above it shows that it's only including the parent.

Maybe someone else has ran into this, but it doesn't look like it's a doable option.

Below is the change that's being made when trying to specify the sub-option. It changes the whole class:

R5(config)#do sh run | i privil

username test privilege 7 view Line password 0 test

privilege exec level 8 clear sampler

privilege exec level 7 clear line

privilege exec level 7 clear

R5(config)#privilege exec level 8 clear line console

R5(config)#do sh run | i privil

privilege exec level 8 clear sampler

privilege exec level 8 clear line

privilege exec level 8 clear

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***
Community Member

Privilege levels

Hi John, thanks a lot for your effort in trying to solve the question...

We're waiting for further help...

Davide

Super Bronze

Re: Privilege levels

Disclaimer

The   Author of this posting offers the information contained within this   posting without consideration and with the reader's understanding that   there's no implied or expressed suitability or fitness for any purpose.   Information provided is for informational purposes only and should not   be construed as rendering professional advice of any kind. Usage of  this  posting's information is solely at reader's own risk.

Liability Disclaimer

In   no event shall Author be liable for any damages whatsoever (including,   without limitation, damages for loss of use, data or profit) arising  out  of the use or inability to use the posting's information even if  Author  has been advised of the possibility of such damage.

Posting

An alternative approach would be to consider AAA with TACACS for granular command control.

Community Member

Re: Privilege levels

Hi Joseph, thanks for your suggestion.Unfotunately we have a RADIUS server in our infrastructure, so we have to set this permission locally on network device.

Davide

314
Views
5
Helpful
6
Replies
CreatePlease to create content