Jimmy, This is when you would use command authorization. You place a user into privilege level 15 but also restricts him to only few commands. This way he is able to see all the commands (level 15) but he can access only what you allowed him.
TACACS+ is the AAA protocol that supports command authorization. Regards, -- Piotr Kaluzny CCIE #25665 (Security), CCSP, CCNP Sr. Support Engineer - IPexpert, Inc. URL: http://www.IPexpert.com On Fri, Mar 26, 2010 at 2:33 PM, Jimmy Larsson <[email protected]> wrote: > Hi dudes (dudettes?)! > > I am playing with command authorization. Since ive never done it before I > wanna try it out before getting into WB1 Lab 5. But basically what I am > doing in my own lab is similat ro task 5.6. I have done this: > > aaa authentication login default none > aaa authentication login VTY local > aaa authorization exec default none > aaa authorization exec VTY local > aaa authorization commands 5 VTY local > > privilege exec all level 5 show running-config > privilege exec level 5 show > > line vty 0 4 > authorization exec VTY > login authentication VTY > > username viewer privilege 5 password 0 cisco > > > When user viewer telnets in he gets the proper access and all works as > expected. Still, I have a vew questions: > > 1) What if I want the user to be able to see the ENTIRE running-config? If > viewer does sh run he sees like 10 lines. Can I give him access to see the > running-config without giving him configure-access to interfaces and so on? > > 2) there is a line-command "authorization commands <0-15>". What is that > for? > > Br Jimmy > > -- > ------- > Jimmy Larsson > Ryavagen 173 > s-26030 Vallakra > Sweden > http://blogg.kvistofta.nu > ------- > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > -- Piotr Kaluzny CCIE #25665 (Security), CCSP, CCNP Sr. Support Engineer - IPexpert, Inc. URL: http://www.IPexpert.com
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
