With AAA authorization, you can do just about everything (with some
caveats).
You can even give a user privilege level 15 and he/she still can not go
into the
"configuration t" mode: Here is what you put on the router:
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization commands 0 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa authorization network default group tacacs+ if-authenticated
Here is what you do in the tac_plus configuration file:
user = biteme {
member = regular
name = "biteme"
global = des dkdkdd)DSKDs
expires = "Dec 31 2002"
}
group = regular {
cmd = configure { deny .* }
cmd = disable { permit .* }
cmd = telnet { permit .* }
cmd = debug { permit .* }
}
"Blair, Philip S"
wrote:I'm quite sure you could accomplish your goals with TACACS and aaa
authorization, is that out of the question?
-----Original Message-----
From: Adam Hickey [mailto:[EMAIL PROTECTED]]
Sent: Friday, September 20, 2002 12:52 PM
To: [EMAIL PROTECTED]
Subject: priviledge levels [7:53723]
All,
I want to configure a special priviledge level for our NOC in all our cisco
devices to basically have all commands except config. Looking at cco, if you
allow sh run at any priv level other than , the user will only be able to
see
the commands they can configure which defeats the purpose. Anyone know a way
around this - so the NOC can have say a level 14 access and be able to see
the
entire running-config without being able to configure anything?
thx
Adam
Do you Yahoo!?
New DSL Internet Access from SBC & Yahoo!
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=53740&t=53723
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
