Few Days back I have been asked by one of our customer for which I implemented Cisco Router Based PPPoE Server - "Hey we need to give some command access to few of our Engineers, but they shouldn't be able to use other commands available under same config prompt".
Okay...I thought it will be simple before he told me one more thing... " We can't buy AAA Server for this Job" :-(
Hmmm... It's quite simple to do with a AAA Server like Cisco ACS. But how about doing this without that.
It reminded me other two ways which I know but I never implemented those before. The one was setting up "Privilege Levels" and other which I learned during my CCNA Security Preparation was " Role Based CLI".
So I choose the Second Way. Because there is a little problem with setting up Privilege levels. In case of Privilege levels the user will have access to all the command available under privilege level Less than the current one.
On the other hand in case of Role based CLI the user will have access to the commands only which were configured under the VIEW.
Although I see there is a third option which is not so flexible called "MENU"
So here is the list of command that I was given. All the Guest Admins should have access to these commands only.
"show users"
"show pppoe sessions"
"clear pppoe rmac"
and here is the quick config that I did for this. The view created here is named as "FIVE"
Cisco_NAS(config)#username radiusadmin secret radiusadmin
Cisco_NAS(config)#parser view five
Cisco_NAS(config-view)#secret guestadmin
Cisco_NAS(config-view)#command exec include show users
Cisco_NAS(config-view)#command exec include show pppoe session
Cisco_NAS(config-view)#command exec include clear pppoe rmac
Cisco_NAS(config-view)#exit
Cisco_NAS(config-view)#secret guestadmin
Cisco_NAS(config-view)#command exec include show users
Cisco_NAS(config-view)#command exec include show pppoe session
Cisco_NAS(config-view)#command exec include clear pppoe rmac
Cisco_NAS(config-view)#exit
and that's it. Next time the guest admin wants to login have to enter username "radiusadmin" and password as "radiusadmin". After that instead of typing "enable" they have to type "enable view five" and then have to provide password for authentication as "guestadmin".
They won't have access to any other commands except the 3 commands that I mentioned in my config.
Thanks!
Deepak Arora
1 comment:
Very useful in production and thanks or sharing
Post a Comment