Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Restricted Cisco IOS User Account - Custom View

Posted on 2011-09-08
2
Medium Priority
?
489 Views
Last Modified: 2012-05-12
Re - Restricted Cisco IOS User Account - Custom View

I would like to create a Cisco IOS user account on a Cisco 1142 access point for our helpdesk so they can add MAC addresses to access-list 700.

However, I would like to restrict access to only the commands needed to create that access list.

For example, the helpdesk should be able to login to the access points and access only the exact commands required to add a mac address to access-list 700.

Could anyone please help with this configuration ?
0
Comment
Question by:Suncore
  • 2
2 Comments
 
LVL 18

Accepted Solution

by:
jmeggers earned 2000 total points
ID: 36506464
Been a long time since I've set it up but what you're looking for is command authorization.  I've never done it on an 1142, though so I can't say for certain that it's supported, but if it's IOS it should be.  Basic description is the user authenticates at a particular "level" (0 is lowest, 15 is full privilege) and then you assign whatever commands you want that user to be able to execute to be at that level.  One of the tricks is depending on the commands you may have to allow some commands to allow the user to get to the other ones.  For example, "configure terminal" and "interface" to allow the user to execute the "ip address" command on an interface.  There are other commands required to enable the feature, specifically aaa authorization which you would almost certainly want to do locally, but it can also be done on an ACS server if you're using RADIUS for AAA going to the ACS.  

I'm not finding a comprehensive description on how to set it up.  I know you have to configure AAA authorization for different types of commands (exec mode, etc.) and then you use the privilege command to specify the commands that can be executed by a user at that privilege level.  See http://www.cisco.com/en/US/docs/ios/12_2/security/command/reference/srfpass.html#wpmkr1029916for more information on that.

I'll see if I can dig up an old config that might help.
0
 
LVL 18

Expert Comment

by:jmeggers
ID: 36506539
Here's a sample config from some training.  It should give you an idea of how it works.  I can't promise the syntax is the same, and you'll have to identify what commands they specifically need to be able to execute.

aaa authorization exec VTY local

username User2 privilege 5 password xxxxxxxx

privilege router level 5 redistribute
privilege router level 5 network
privilege interface level 5 ip address
privilege interface level 5 ip
privilege exec level 5 configure terminal
privilege exec level 5 configure

line vty 0 4
 authorization exec VTY
0

Featured Post

 [eBook] Windows Nano Server

Download this FREE eBook and learn all you need to get started with Windows Nano Server, including deployment options, remote management
and troubleshooting tips and tricks

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This program is used to assist in finding and resolving common problems with wireless connections.
In this article, we’ll look at how to deploy ProxySQL.
This Micro Tutorial will show you how to maximize your wireless card to its maximum capability. This will be demonstrated using Intel(R) Centrino(R) Wireless-N 2230 wireless card on Windows 8 operating system.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

916 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question