GroupStudy.com GroupStudy.com - A virtual community of network engineers
 Home  BookStore  StudyNotes  Links  Archives  StudyRooms  HelpWanted  Discounts  Login
Re: IOS privileges for helpdesk posted 11/03/2008
[Chronological Index] [Thread Index] [Top] [Date Prev][Date Next] [Thread Prev][Thread Next]


Is this for production or for lab purposes?  If production your best  
option is to use tacacs for per command auth. Otherwise either use an  
ios menu to limit what they can show, or assign them privilege 0 and  
move commands down instead of up. If you look at the "show parser  
dump" you'll see that privilege 1 has basically all show commands  
except show run, which may not be what you want.

HTH,

Brian McGahan, CCIE #8593 (R&S/SP/Security)
bmcgahan@xxxxxxxxxxxxxxxxxxxxxx

Internetwork Expert, Inc.
http://www.internetworkexpert.com

On Nov 3, 2008, at 8:37 PM, "darth router" <darklordrouter@xxxxxxxxx>  
wrote:

> thank you also
>
> On Mon, Nov 3, 2008 at 4:58 PM, Brian McGahan <bmcgahan@xxxxxxxxxxxxxxxxxxxxxx 
> > wrote:
> You need to add "aaa authorization exec default local" to authorize  
> the user to privilege 2.  When AAA is off, exec authorization  
> defaults to local already, but when AAA is on you need to manually  
> specify it.
>
>
> HTH,
>
> Brian McGahan, CCIE #8593 (R&S/SP/Security)
> bmcgahan@xxxxxxxxxxxxxxxxxxxxxx
>
> Internetwork Expert, Inc.
> http://www.InternetworkExpert.com
> Toll Free: 877-224-8987 x 705
> Outside US: 775-826-4344 x 705
> Online Community: http://www.IEOC.com
> CCIE Blog: http://blog.internetworkexpert.com
>
>
> darth router wrote:
>>
>>  fellas/ladies,
>>
>> Few questions on this.
>> 1. with the below config, can I get this to work somehow ? I do not  
>> want to
>> get rid of the enable pass. It will not work with the current config.
>> 2. is there a way to have more than 1 enable pass with a diff priv  
>> level set
>> for helpdesk (haven't been able to get this to work)
>> 3. Is there a way to clear all commands from a privilege level,  
>> mtrace,
>> ping, etc...? I can see in the doc CD how to add, but not remove  
>> default
>> commands.
>>
>>
>>
>> aaa authentication login default local line
>> aaa authentication enable default enable
>>
>>
>> enable secret cisco
>>
>> username admin password cisco
>> username helpdesk priviledge 2
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>>
>> _______________________________________________________________________
 

>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html