TACACS+ will allow you to permit/deny commands using wildcards.
----- Original Message -----
From: "EA Louie"
To:
Sent: Thursday, April 19, 2001 1:33 PM
Subject: Re: telnet [7:1212]
> well, that's a little bummer, because if the user is in privileged exec
> (enable) mode, the default from a privilege perspective is to allow them
> some sort of configuration permission. I suppose the best question is,
why
> do you want to restrict them to 'show interface'?
>
> The best way to accomplish what you want is to restrict them to
non-enabled
> commands so that they can't make any configuration changes. I don't know
of
> any way to restrict the show commands at the disabled EXEC mode - maybe
> someone else can help you with that.
>
> At the disabled EXEC mode, you can type ? to see what they're allowed to
do.
> (there are a few other hidden commands that they can do at that level too)
>
> -e-
>
> ----- Original Message -----
> From: "SH Wesson"
> To:
> Sent: Thursday, April 19, 2001 9:09 AM
> Subject: Re: telnet [7:1212]
>
>
> > Thanks. I did it and did the "privilege exec level 1 show interface"
for
> a
> > user with privilege 1 access. However, when they log in with the
username
> > that has privilege 1 access like above, they can use other commands
> besides
> > the one above which I didn't put in. How can I restrict it to
"privilege
> > exec level 1 show interface" ONLY. Thanks.
> >
> >
> > >From: "EA Louie"
> > >To: "SH Wesson" ,
> > >Subject: Re: telnet [7:1212]
> > >Date: Thu, 19 Apr 2001 08:48:59 -0700
> > >MIME-Version: 1.0
> > >Received: from [24.0.95.108] by hotmail.com (3.2) with ESMTP id
> > >MHotMailBCA853B40062400438E318005F6CA5980; Thu Apr 19 08:48:04 2001
> > >Received: from cx555712b ([24.21.8.196]) by femail12.sdc1.sfba.home.com
> > > (InterMail vM.4.01.03.20 201-229-121-120-20010223) with SMTP
> > >id ;
> > > Thu, 19 Apr 2001 08:48:05 -0700
> > >From [EMAIL PROTECTED] Thu Apr 19 08:49:24 2001
> > >Message-ID:
> > >References:
> > >X-Priority: 3
> > >X-MSMail-Priority: Normal
> > >X-Mailer: Microsoft Outlook Express 5.50.4522.1200
> > >X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200
> > >
> > >yes. Some of the ways to do it:
> > >
> > >1. Set a generic username/password with a privelege level of 1. Set
> your
> > >own username/password with a privelege level of 15. Then set the
command
> > >that you want privelege level 1 to be able to use
> > >
> > >2. Set different enable passwords for different privelege levels.
> > >
> > >3. Don't give the other users the enable password, and they'll be
> > >restricted to the simple show cammands (show interface, show ip route)
> and
> > >they'll have no access to the running or saved configuration.
> > >
> > >see (watch URL wrap-there are configuration examples at the bottom)
> >
>
>http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/secu
> r
> > >_c/scprt5/scpass.htm
> > >and
> >
>
>http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/secu
> r
> > >_r/srprt5/srpass.htm
> > >
> > >-e-
> > >----- Original Message -----
> > >From: "SH Wesson"
> > >To:
> > >Sent: Thursday, April 19, 2001 6:18 AM
> > >Subject: telnet [7:1212]
> > >
> > >
> > > > I want to allow this one network to be able to to telnet into my
> router,
> > >but
> > > > when then telnet into it I only want to give them access to the
"show
> > > > interface" command and nothing else. However when I telnet into it
> from
> > >my
> > > > network I want to be able to access everything.
> > > >
> > > > What I've done is set the password on vty 0 4 and use the command
> login.
> > > > However when they telnet to it and type the password to login then
can
> > > > access a lot of other commands including "show version", "show
> logging",
> > > > "show standby", a lot of others even though they can't get into
config
> t
> > > > mode.
> > > >
> > > > Can anyone show me how to configure it to restrict the above telnet
to
> > >only
> > > > a few commands. Thanks.
> > > >
> > > >
> > > > _________________________________________________________________
> > > > Get your FREE download of MSN Explorer at http://explorer.msn.com
> > > > FAQ, list archives, and subscription info:
> > >http://www.groupstudy.com/list/cisco.html
> > > > Report misconduct and Nondisclosure violations to
[EMAIL PROTECTED]
> > >
> >
> > _________________________________________________________________
> > Get your FREE download of MSN Explorer at http://explorer.msn.com
> FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=1269&t=1212
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
