Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

user acces to router

Hi;

In my enterprise network we having 55 locationa sn each location is connected to data center by 1800 router and each locatin we have FM engineer to manage the localsite.

my problem is we maninatn the amdn amnage the outer from data centre but some time we have to give acess to local Fm engineer to router.

for this can we have one user with specific rights for some command to run on router...if yes i want to give following rights for local engineer to see the router status i.e:

sh int s0/0

sh ip account output

sh int bri0/0

sh isdn act

thanks in advance.....

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Re: user acces to router

hi,

Esta configuración lo puede ayudar:

username xxxx privilege 15 password xxxx

username xxxx privilege 5 password xxxx

privilege exec level 5 show interfase

privilege exec level 5 show ip accounting

privilege exec all level 5 show

line vty 0 4

password xxxx

login

4 REPLIES

Re: user acces to router

Please check Privilege levels that work with AAA to make this to work.

http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a008009465c.shtml

Sankar

PS: please remember to rate posts!

New Member

Re: user acces to router

Hello,

This can be done by assigning the commands to specific privilege levels and granting the FM engineer a login with the same privilege level. Additional information can be found:

http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a00803f3bb7.html

Also, if using an AAA solution to allow for local authentication as a fallback method in case the link is down and you need the FM engineer to access. Another option would be to have an out-of-band connection (e.g. modem) to the console of the router and you can dial-in and get the necessary outputs.

Hope this helps.

Regards,

James

Bronze

Re: user acces to router

Hello,

in addition to James´ and Sankar´s posts, you could also configure a menu, which is sort of a user-friendly screen with options from which your firewall engineer can choose. In the sample configuration below, the firewall engineer would logon to the router with the following command:

telnet x.x.x.x 3001

where x.x.x.x is the IP address of the router. Only one VTY (Telnet) line is reserved for the firewall engineer, leaving the other 4 VTY lines for you to access. Just make sure that when you try to telnet to the router, you specify another port (e.g. telnet x.x.x.x 3002).

When your firewall engineer logs on to the router with the username FW and the corresponding password, he (or she) will automatically be presented with the menu.

Obviously you will need to tell your engineer to use the (port 3001 in this example) correct syntax when telnetting, in order for the access to work correctly.

username FW password 0 cisco

username FW autocommand menu LOCALSITE

!

menu LOCALSITE title "Menu for FW engineers"

menu LOCALSITE prompt "Choose your selection: "

menu LOCALSITE text 1. Show interface serial0/0

menu LOCALSITE command 1. show interfaces serial0/0

menu LOCALSITE options 1. pause

menu LOCALSITE text 2. Show ip accounting output

menu LOCALSITE command 2. show ip accounting output

menu LOCALSITE options 2. pause

menu LOCALSITE text 3. Show interface bri0/0

menu LOCALSITE command 3. show interfaces bri0/0

menu LOCALSITE options 3. pause

menu LOCALSITE text 4. Show isdn active

menu LOCALSITE command 4. show isdn active

menu LOCALSITE options 4. pause

menu LOCALSITE text 5. Exit

menu LOCALSITE command 5. exit

menu LOCALSITE clear-screen

!

line vty 0

login local

rotary 1

Moving commands to a specific privilege level, as mentioned by James, would look like this (again, only one VTY line is reserved for your firewall engineer). In this sample configuration, the commands you specified are moved to the lowest exec level (0). When your firewall engineer telnets to the router with:

telnet x.x.x.x 3001

the engineer would remain in user mode, but be able to execute the commands that have been moved to that exec level:

username FW privilege 0 password cisco

!

privilege exec level 0 show interfaces

privilege exec level 0 show ip accounting

!

line vty 0

login local

privilege level 0

rotary 1

Regards,

Nethelper

New Member

Re: user acces to router

hi,

Esta configuración lo puede ayudar:

username xxxx privilege 15 password xxxx

username xxxx privilege 5 password xxxx

privilege exec level 5 show interfase

privilege exec level 5 show ip accounting

privilege exec all level 5 show

line vty 0 4

password xxxx

login

106
Views
3
Helpful
4
Replies
CreatePlease login to create content