Solved

Restricted Cisco IOS User Account - Custom View

Posted on 2011-09-08
2
468 Views
Last Modified: 2012-05-12
Re - Restricted Cisco IOS User Account - Custom View

I would like to create a Cisco IOS user account on a Cisco 1142 access point for our helpdesk so they can add MAC addresses to access-list 700.

However, I would like to restrict access to only the commands needed to create that access list.

For example, the helpdesk should be able to login to the access points and access only the exact commands required to add a mac address to access-list 700.

Could anyone please help with this configuration ?
0
Comment
Question by:Suncore
  • 2
2 Comments
 
LVL 18

Accepted Solution

by:
jmeggers earned 500 total points
ID: 36506464
Been a long time since I've set it up but what you're looking for is command authorization.  I've never done it on an 1142, though so I can't say for certain that it's supported, but if it's IOS it should be.  Basic description is the user authenticates at a particular "level" (0 is lowest, 15 is full privilege) and then you assign whatever commands you want that user to be able to execute to be at that level.  One of the tricks is depending on the commands you may have to allow some commands to allow the user to get to the other ones.  For example, "configure terminal" and "interface" to allow the user to execute the "ip address" command on an interface.  There are other commands required to enable the feature, specifically aaa authorization which you would almost certainly want to do locally, but it can also be done on an ACS server if you're using RADIUS for AAA going to the ACS.  

I'm not finding a comprehensive description on how to set it up.  I know you have to configure AAA authorization for different types of commands (exec mode, etc.) and then you use the privilege command to specify the commands that can be executed by a user at that privilege level.  See http://www.cisco.com/en/US/docs/ios/12_2/security/command/reference/srfpass.html#wpmkr1029916for more information on that.

I'll see if I can dig up an old config that might help.
0
 
LVL 18

Expert Comment

by:jmeggers
ID: 36506539
Here's a sample config from some training.  It should give you an idea of how it works.  I can't promise the syntax is the same, and you'll have to identify what commands they specifically need to be able to execute.

aaa authorization exec VTY local

username User2 privilege 5 password xxxxxxxx

privilege router level 5 redistribute
privilege router level 5 network
privilege interface level 5 ip address
privilege interface level 5 ip
privilege exec level 5 configure terminal
privilege exec level 5 configure

line vty 0 4
 authorization exec VTY
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
DHCP and Internet Access Issue Cisco 4331 Router 9 42
VXLAN - same in VMWare NSX and Cisco Environments? 2 75
Problem to router 7 71
VPN Server config in Modem 5 18
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
This Micro Tutorial will show you how to maximize your wireless card to its maximum capability. This will be demonstrated using Intel(R) Centrino(R) Wireless-N 2230 wireless card on Windows 8 operating system.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

792 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question