Cisco LAN :: 3750 Configure Read Access Via User-defined Privilege Level
Mar 11, 2013
I´m looking for the best configuration to restrict a user to read-only. The restriction should be configured via CLI not TACACS+.
-Hardware: 3750 (probably not interesting for this question)
-Oldest IOS: 12.2(53)SE1
The user should be allowed to: see the running-configurationtrigger all kinds of show-commandsping and traceroute from the device.The user should not be allowed to: upload/delete/rename files on the flash-memoryget into level 15 (not sure if I can avoid this)all other commands despite those from level 1 and those specified above.
View 2 Replies
ADVERTISEMENT
Feb 15, 2013
We have more than 50 devices handling by PI 1.2 (testing) I like to know how to do configuration archiving with user who doesn't have write privilege.
I tried like this.
username john privilege 6 password cisco privilege exec level 6 show running-config
(result) show run --> blank
I tried this user with one of switch in PI 1.2. It did not do configuration backup
username inout password inout username inout privilege 15 autocommand show running-config
(result) once logged in, it automatically showed running-config. However when I tried with PI 1.2 with this user (inout). I couldn't do configuration back.
reference [URL]
create certain user with read-only privilege while PI 1.2 is able to do configuration archiving ?
View 0 Replies
View Related
Apr 29, 2011
I can't seem to enable in ASA with a non-15 privilege level user configured in ACS 4.2 (tacacs).When I enable in IOS device, it enables and "show privilege" shows level 10 as expected. ACS should be configured correctly as it works fine with IOS. User is not set with explicit settings. Group is set with "max enable level" 15 and "shell exec priv level" 15. The enable password is set to the internal ACS PAP password. Works fine in IOS.When I enable in ASA, it fails to enable, and ACS log says "Tacacs+ enable privilege too low". I suspect that ASA tries to enable into level 15 explicitely. If I try to issue "enable 10" command in ASA it says: Enabling to privilege levels is not allowed when configured for AAA authentication. Use 'enable' only. [code]
View 2 Replies
View Related
Jun 13, 2011
I have cisco ACS 5.2 and external identity source as RSA secure ID.Currently when the RSA user login to AAA Network devices, User id & passcode prompt coming after giving the credential its going to user exec mode.Then after "enable" command again asking for Passcode giving passcode then user able to logged in successfully.
I need RSA users to get direct privlege level15 (privlege mode) ? no need to ask enable password ?
I checked this for local ACS users it is working and loca users getting directly privelege mode access...
View 2 Replies
View Related
Sep 21, 2011
We have an ADSM (version 5.2(3) ) . In ASA ( version 7.2(3)) we are working with routing, access restriction and configuring IPSEC vpn with integration to our AD. We need to get two diferent profiles: one for networking administrators, who are going to manage routing, acls and have the root for ASA, and the other profile is going to be for the vpn administrators. As I read from the ASDM 6.0 user guide is posible define command privilege level. So do you consider posible to define a particular level for all the command related with ipsec vpn (Create, Modify and Delete) and asociate that particular level with the user for vpn administration.
View 1 Replies
View Related
Aug 10, 2011
I have a customer with a 861 ISR.I want to block all the privilege 0 users from access the enable command
If i telnet into the device, as a priv=0, enable does not work
If i telnet into the device, as a priv=15, enable does work
If i telnet into the device, as a priv=0, enable does not work
If i telnet into the device, as a priv=15, enable does not work
I have issued the command:privilege exec level 15 enable Should block everyone except 15's from accessing the enable command SSH and TELNET are on the same vty:
line con 0
login authentication local_authen
no modem enable
line aux 0
line vty 0 3
[code]....
Basically TELNET is following the rules ( priv=0 not allowed to access enable ) but SSH is not following the rules ( both priv=15 and priv=0 cannot access the command ) is there a way from blocking somes users from login in completely?
View 9 Replies
View Related
Oct 10, 2011
I want to create a local user in my Cisco ASA 5520 to allow the user to use the ASDM in Read-Only mode. I want the user to view the Dashboard only.
View 1 Replies
View Related
Aug 3, 2011
I'am a novice with LMS 4.0.I create 4 device group in Group Management, I restarted my server and since this reboot, I haven't any device in my groups. I would like to use the archive synchronization but I can't see my device in my groups.
View 6 Replies
View Related
Jan 23, 2012
I have seen some discussion in the forums regarding user defined groups being empty in LMS 4.0 but not 4.1. I am having this issue in 4.1. Under User Defined groups, I have created 2 logical groups named "Physical Location" and "Switches". These do not contain any actual devices, they are just containers for other groups. Under the Physical Location logical group I have created 2 other groups, Acuna and Hampton. Under the Switches group I have also created 2 groups, HDM and HHC. The criterion for the Physical Location group is based on the first 3 characters of the hostname:
Device.System.Name startswith "hdm"
The criterion for the Switches group is based on the value of a user defined field, Admin_responsibility:
Device.Admin_responsibility equals "HDM"
The Physical Location groups work - the Switches group does not. Both the HDM and the HHC group should contain several devices. The HDM group contains 2, the HHC contains none. If I edit the groups and click "next" until I get to step 3, Membership: Edit, the "objects matching criteria" list is fully populated - it contains the devices that it should contain. However, after I click "Finish" and go to Inventory => Add / Import / Manage Devices there is no change in group membership - the HDM group contains 2 devices and the HHC group contains none.
View 4 Replies
View Related
Oct 29, 2011
I make qos on VPN Tunnel, but i make command service-policy output name, it show the error below Traffic Shaping feature is not supported in user defined class of parent level policy.My cisco router 1921, IOS : c1900-universalk9-mz.SPA.150-1.M5.bin
View 1 Replies
View Related
Sep 7, 2011
having LMS 4.0.1 is it possible to authenticate user on a group base and assign different privilege to different groups?. The user's group are available in the LDAP server.Do I have to use a TACACS/RADIUS server between the Ciscoworks LMS and the LDAP repository?
View 1 Replies
View Related
Jul 14, 2011
I have FWSM's in Cat 6513's. I have a need to be able to session from the switch to the FWSM by using default account (not local user), at privilege level 15 I further have a need to allow a user read only access by ssh'n into the FWSM...
I believe I need to setup a local user, at, say privilege level 5, assign the show command only to privilege level 5, then set the authorization command for that user. So, i think my command sets are as follows to accomplish this:
username <username> password <pw> priv 5
priv command level 5 mode exec command show
aaa auth ssh console LOCAL
aaa auth enable console LOCAL
aaa authorization command LOCAL
I think, that this will allow the user at privilege 5 to run only the show command and only by SSH to the FWSM while allow the priv 15 level default login to continue to function properly.
View 1 Replies
View Related
May 15, 2012
i am running NX-OS image n5000-uk9.5.1.3.N1.1.bin on the nexus 5020 platform.i have configured authorization with tacacs+ on ACS server version 5.2 with fall back to switch local database.a user test with priv 15 is craeted on ACS server, password test2 everything works fine, until i create the same username on the local database with privilege 0. ( it doesnt matter if the user in local database was created before user in ACS or after ) e.g.: username test password test1 role priv-0 (note passwords are different for users in both databases)
after i create the same user in local database with privilege 0,if i try to connect to the switch with this username test and password defined on ACS, i get only privilege 0 authorization, regardless, that ACS server is up and it should be primary way to authenticate and authorizate the user.
View 3 Replies
View Related
Dec 12, 2011
I created some User Defined Groups in LMS 4.1, now I want to apply certain fault notification groups to Event Sets.
Unfortunately the Groups I configured are not in the Group Selector of the Fault Notification Group: Admin > Network > Notification and Action Settings > Fault Notification Group
View 3 Replies
View Related
May 30, 2013
I have 2 local accounts on a 3750 that kick in should radius be unavailable. If I log in as the admin account it gets priv 15, if I log in as the other user it gets privilege 3 which is correct, by my commands dont work, this is what I have added and the strange thing is I've dont this many times before on our other switches
username admin privilege 15 secret ***
username users privilege 3 secret ***
aaa new-model
[Code]....
View 2 Replies
View Related
Jan 13, 2009
What is the command for creating a user on an ASA 5500 running 7.2(3) that can only view the config but not make any changes?
View 8 Replies
View Related
Mar 20, 2011
I have a customer that has a FWSM on a 6500, I want to create a read only account for them, i believe user privelage of lvl_3 When I log into the firewall it prompts me for a password straight away.
Is there a way that i can create a login that when it prompts me for a password, I can have a password setup to put into that prompt to get a certain level of access, instead of the standard lvl_15 access
View 9 Replies
View Related
Jul 24, 2012
Is it possible to have emails stored automatically on a network drive after email is been read by the user? I know for sure that on a mailserver there is a feature that can be set up to have a copy stored and than send it to the users application.
View 1 Replies
View Related
Mar 22, 2011
I am configuring remote access VPN on a cisco router 3845. Works fine.
I was looking for configuring session and idle time configuration for groups and eventually users.
I am using the following Cisco VPN remote access configuration :
crypto isakmp client configuration group mygroup
key xxx
pool mypool
acl 101
max-logins 3
banner ^CHelloo ^C
Is there any command in cisco ios similar to Cisco ASA vpn group 1 session-timeout?
View 1 Replies
View Related
May 12, 2011
i have configured SSL VPN on Cisco ASA5510 which is working fine .My Users connected the VPN and access the servers remotely. But now i face one challange my users use PPTP VPN of the customer now a days configured at the Customer Network. When they Connect the PPTP VPN unable to Access the servers remotely defined on the SSL VPN Route.
View 1 Replies
View Related
Jun 13, 2012
I'm using a Cisco Wireless LAN Controller 5508, 14x Access Points 1041 and 6x Access Points 1031 in combination with a NCS 1.0.
Is it possible to broadcast SSID'S only on defined Access Points, e.g. AP 1-3,7-10,18? If yes, what have I to do?
View 8 Replies
View Related
Oct 18, 2012
How to configure internet access for different VLANs in cisco 3750 switc,ISP connection directly connecting to 3750 ,3750 have 18 VLANs
View 9 Replies
View Related
Sep 29, 2012
I configure 3750 stack switch as core and 2960 stack switches as access layer switches.I connected my laptop to one of my core stack in VLAN 10 and I am pinging to one of my server in VLAN 1. What will be the minimum latency at the time of inter VALN routing
View 2 Replies
View Related
Jun 13, 2012
I am using ACS 5.3 with the internal Database for user authentication, I would like to attribute to some users read only rights on the systems. by not configuring an enable password for these users?
View 2 Replies
View Related
Sep 30, 2010
We are using ACS ver 4.2 and trying to setup users with limited access to our switchs and routers. Here is what we did:
1) Created a user in ACS
2) Create Shell command Autorization Set - ReadOnly
Unmatched Commands - Deny
Commands Added
show
exit
* this should limit the user to the show and exit command only (correct)?
3) Created a group - HelpDesk with the following TACACS+ Settings
Shell (exec) is checked
Priviledge level is check with 15 as the assigned level
Assign a Shell Command Authorization Set for any network device - selected
ReadOnly - shell command autorization set seleted
When the user logs on to the router/switch it appears that he has full access. He can enter the enable command, config terminal command, etc. All we want him to be able to do is to issue the show command.
View 13 Replies
View Related
Sep 22, 2011
We are running ACS 5.2 patch 6 and want to restrict access for users to be able to add devices to the system.For example, admin person in site A can only add devices into the site A group and cannot see/access other sites groups.
View 1 Replies
View Related
Apr 13, 2011
I have a wireless router namely D-LINK 524. i know its a prtty old router..but its never let me down ever before..but thn today i decided to play a couple of games online using the psp/ps3 and well both the devices couldnt read the access point..
Then i go onto my pc and the internet on the pc dont work either :'( so then i reboot the modem nd wifi router..but to no avail.So i unplug da routerand connect da modem directly to the pc and it worked..so i was quite stunned..nd i miss playing online..
So to trim it down the problem basically is my phone/ps3/psp cannot find my access point AND my pc doesnt work when connected through the wireless router.
View 4 Replies
View Related
Oct 23, 2011
I have a Windows Home Server 2011 box sitting at home in Washington DC. I have about 1TB worth of stuff on that box. For many reasons, I want to store all my data in a centralized location (that being my WHS box). I then want to access that data through my laptop in London as if the data was in a folder on my computer. I also want to access the data through my mobile phone (android).I just set up filezilla on my WHS box and it works fine if I want to download or upload data. But it won't let me open word files 'off' the server, make changes, and then save it right back. I have to download the word file, make changes, and then reupload that file to the server.
View 3 Replies
View Related
Dec 9, 2012
I am running PI1.2 virtual appliance (on ESXi 5.0). i had some issues and open a ticket to TAC. the TAC engineer requested me to send him the below:
/opt/CSCOlumos/logs/failed_inventory_feature.log
/opt/CSCOlumos/logs/ifm_inventory.log
.
.
My question is how do we get to the shell of PI1.2? i know we can get to the shell of LMS4.2. do we have access to shell of PI1.2 virtual appliance?
View 5 Replies
View Related
Feb 19, 2012
I configured 2960S switch as http server. I'm unable to access the switch GUI with non privilege 15 user, with privilege 15 user it's working.
View 7 Replies
View Related
Jan 23, 2012
Verifying the operation of the ASA when configured with Global access rules. Does the global rule overide the interface security levels? According to the ASA order of operations, the interface specific rule get's processed first and then the global rules, but It does not say anything about interface security levels. Observing an ASA in production that has global rules configured I see that an interface with a security level of 50 that has no rules applied to it, passing traffic to the outside interface (security level 0) drops the traffic. Syslog shows that it hits the global access rule implicit deny. Does the implicit permit any to any less secure interface not apply?
View 7 Replies
View Related
Jul 17, 2011
Is there any possibility to set linksys E4200 for support anonymous acces to ftp server in read and write mode ?
View 1 Replies
View Related
Oct 25, 2011
We are using Catalyst 3750 with 12.2(44)SE. We have two stack configured, one with IP routing enabled. When we try to run an Acquisition Action on IP routing enabled stack, from Admin> Collection Settings> User Tracking, the system replies with an error "Failed to start acquisition: Device unreachable. Please enter a valid device". Acquisition starts successfully when we try with the other stack. We are going to investigate!
View 9 Replies
View Related
