Let me make my position clear. The best way to do this is through
TACACS+. AAA, does it ring a bell? TACACS+ will solve your problem and
more. Don't try to fix the problem with the bandage approach. Because
if you do, it will comeback and bite you in the future.
Just my .02 cents.
Sean
>From: "EA Louie"
>Reply-To: "EA Louie"
>To: [EMAIL PROTECTED]
>Subject: Re: telnet [7:1212]
>Date: Thu, 19 Apr 2001 14:33:29 -0400
>
>well, that's a little bummer, because if the user is in privileged exec
>(enable) mode, the default from a privilege perspective is to allow them
>some sort of configuration permission. I suppose the best question is, why
>do you want to restrict them to 'show interface'?
>
>The best way to accomplish what you want is to restrict them to non-enabled
>commands so that they can't make any configuration changes. I don't know
>of
>any way to restrict the show commands at the disabled EXEC mode - maybe
>someone else can help you with that.
>
>At the disabled EXEC mode, you can type ? to see what they're allowed to
>do.
>(there are a few other hidden commands that they can do at that level too)
>
>-e-
>
> ----- Original Message -----
>From: "SH Wesson"
>To:
>Sent: Thursday, April 19, 2001 9:09 AM
>Subject: Re: telnet [7:1212]
>
>
> > Thanks. I did it and did the "privilege exec level 1 show interface"
>for
>a
> > user with privilege 1 access. However, when they log in with the
>username
> > that has privilege 1 access like above, they can use other commands
>besides
> > the one above which I didn't put in. How can I restrict it to
>"privilege
> > exec level 1 show interface" ONLY. Thanks.
> >
> >
> > >From: "EA Louie"
> > >To: "SH Wesson" ,
> > >Subject: Re: telnet [7:1212]
> > >Date: Thu, 19 Apr 2001 08:48:59 -0700
> > >MIME-Version: 1.0
> > >Received: from [24.0.95.108] by hotmail.com (3.2) with ESMTP id
> > >MHotMailBCA853B40062400438E318005F6CA5980; Thu Apr 19 08:48:04 2001
> > >Received: from cx555712b ([24.21.8.196]) by femail12.sdc1.sfba.home.com
> > > (InterMail vM.4.01.03.20 201-229-121-120-20010223) with SMTP
> > >id ;
> > > Thu, 19 Apr 2001 08:48:05 -0700
> > >From [EMAIL PROTECTED] Thu Apr 19 08:49:24 2001
> > >Message-ID:
> > >References:
> > >X-Priority: 3
> > >X-MSMail-Priority: Normal
> > >X-Mailer: Microsoft Outlook Express 5.50.4522.1200
> > >X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200
> > >
> > >yes. Some of the ways to do it:
> > >
> > >1. Set a generic username/password with a privelege level of 1. Set
>your
> > >own username/password with a privelege level of 15. Then set the
>command
> > >that you want privelege level 1 to be able to use
> > >
> > >2. Set different enable passwords for different privelege levels.
> > >
> > >3. Don't give the other users the enable password, and they'll be
> > >restricted to the simple show cammands (show interface, show ip route)
>and
> > >they'll have no access to the running or saved configuration.
> > >
> > >see (watch URL wrap-there are configuration examples at the bottom)
> >
>
>http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/secu
>r
> > >_c/scprt5/scpass.htm
> > >and
> >
>
>http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/secu
>r
> > >_r/srprt5/srpass.htm
> > >
> > >-e-
> > >----- Original Message -----
> > >From: "SH Wesson"
> > >To:
> > >Sent: Thursday, April 19, 2001 6:18 AM
> > >Subject: telnet [7:1212]
> > >
> > >
> > > > I want to allow this one network to be able to to telnet into my
>router,
> > >but
> > > > when then telnet into it I only want to give them access to the
>"show
> > > > interface" command and nothing else. However when I telnet into it
>from
> > >my
> > > > network I want to be able to access everything.
> > > >
> > > > What I've done is set the password on vty 0 4 and use the command
>login.
> > > > However when they telnet to it and type the password to login then
>can
> > > > access a lot of other commands including "show version", "show
>logging",
> > > > "show standby", a lot of others even though they can't get into
>config
>t
> > > > mode.
> > > >
> > > > Can anyone show me how to configure it to restrict the above telnet
>to
> > >only
> > > > a few commands. Thanks.
> > > >
> > > >
> > > > _________________________________________________________________
> > > > Get your FREE download of MSN Explorer at http://explorer.msn.com
> > > > FAQ, list archives, and subscription info:
> > >http://www.groupstudy.com/list/cisco.html
> > > > Report misconduct and Nondisclosure violations to
>[EMAIL PROTECTED]
> > >
> >
> > _________________________________________________________________
> > Get your FREE download of MSN Explorer at http://explorer.msn.com
>FAQ, list archives, and subscription info:
>http://www.groupstudy.com/list/cisco.html
>Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=1271&t=1212
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
