HTTP Server privilege seperation

Does anyone know what needs to be added to a privilege level to allow use of the web administration page for the port config and such, but not reload and reset to default?

Reply to
jerkart
Loading thread data ...

Are you referring to a Cisco device? If so, which one and which software version?

Reply to
Walter Roberson

Reply to
JerKart

In article , JerKart top-posted:

This morning too, seeing as you top-posted...

Ah, that makes the problem entirely different than what I first understood.

I do not know the answer, but I believe that the matter is not specific to the web server. I suspect the question is a more general one of how to configure the 3750 to allow particular commands but not allow others.

You asked that the user be able to configure ports "and such", but not reload or reset to default. However, any user who is allowed to view the entire configuration can see the encoded passwords and SNMP community strings and use those to go in and reconfigure the device, or to just reload or reset the device directly. Adding new users and passwords and associated privileges is part of "and such" (in that it is not reloading or resetting to the default), so you should reconsider what commands you want the user to be able to do.

Reply to
Walter Roberson

Below is part of the config. I have RADIUS setup to authenticate users only for the http server and only the http server. Login is working when I set the users privilege level to 15, I am trying to limit these users to non-distructive commands at a defined privilege level of 7. I want to permit them to {change interface settings, use the monitor functions}, but not be able to {reload, reset to default, use express setup, software upgrade}. The restricted users will not have any access to the console so I don't have to be as tight with the lockdown.

aaa authentication login default local aaa authentication login HTTPonly group radius aaa authorization exec default local aaa authorization exec HTTPonly group radius

ip http server ip http authentication aaa login-authentication HTTPonly ip http authentication aaa exec-authorization HTTPonly

privilege configure level 7 interface privilege exec level 7 configure terminal privilege exec level 7 show privilege exec level 7 interface privilege exec level 7 write memory

Reply to
JerKart

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.