Expiring Today—Celebrate National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Restricted Cisco IOS User Account - Custom View

Posted on 2011-09-08
2
Medium Priority
?
485 Views
Last Modified: 2012-05-12
Re - Restricted Cisco IOS User Account - Custom View

I would like to create a Cisco IOS user account on a Cisco 1142 access point for our helpdesk so they can add MAC addresses to access-list 700.

However, I would like to restrict access to only the commands needed to create that access list.

For example, the helpdesk should be able to login to the access points and access only the exact commands required to add a mac address to access-list 700.

Could anyone please help with this configuration ?
0
Comment
Question by:Suncore
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
2 Comments
 
LVL 18

Accepted Solution

by:
jmeggers earned 2000 total points
ID: 36506464
Been a long time since I've set it up but what you're looking for is command authorization.  I've never done it on an 1142, though so I can't say for certain that it's supported, but if it's IOS it should be.  Basic description is the user authenticates at a particular "level" (0 is lowest, 15 is full privilege) and then you assign whatever commands you want that user to be able to execute to be at that level.  One of the tricks is depending on the commands you may have to allow some commands to allow the user to get to the other ones.  For example, "configure terminal" and "interface" to allow the user to execute the "ip address" command on an interface.  There are other commands required to enable the feature, specifically aaa authorization which you would almost certainly want to do locally, but it can also be done on an ACS server if you're using RADIUS for AAA going to the ACS.  

I'm not finding a comprehensive description on how to set it up.  I know you have to configure AAA authorization for different types of commands (exec mode, etc.) and then you use the privilege command to specify the commands that can be executed by a user at that privilege level.  See http://www.cisco.com/en/US/docs/ios/12_2/security/command/reference/srfpass.html#wpmkr1029916for more information on that.

I'll see if I can dig up an old config that might help.
0
 
LVL 18

Expert Comment

by:jmeggers
ID: 36506539
Here's a sample config from some training.  It should give you an idea of how it works.  I can't promise the syntax is the same, and you'll have to identify what commands they specifically need to be able to execute.

aaa authorization exec VTY local

username User2 privilege 5 password xxxxxxxx

privilege router level 5 redistribute
privilege router level 5 network
privilege interface level 5 ip address
privilege interface level 5 ip
privilege exec level 5 configure terminal
privilege exec level 5 configure

line vty 0 4
 authorization exec VTY
0

Featured Post

Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
For Sennheiser, comfort, quality and security are high priority areas. This paper addresses the security of Bluetooth technology and the supplementary security that Sennheiser’s Contact Center and Office (CC&O) headsets provide.  
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

718 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question