Does anyone know what needs to be added to a privilege level to allow use of the web administration page for the port config and such, but not reload and reset to default?
- posted
17 years ago
Does anyone know what needs to be added to a privilege level to allow use of the web administration page for the port config and such, but not reload and reset to default?
Are you referring to a Cisco device? If so, which one and which software version?
In article , JerKart top-posted:
This morning too, seeing as you top-posted...
Ah, that makes the problem entirely different than what I first understood.
I do not know the answer, but I believe that the matter is not specific to the web server. I suspect the question is a more general one of how to configure the 3750 to allow particular commands but not allow others.
You asked that the user be able to configure ports "and such", but not reload or reset to default. However, any user who is allowed to view the entire configuration can see the encoded passwords and SNMP community strings and use those to go in and reconfigure the device, or to just reload or reset the device directly. Adding new users and passwords and associated privileges is part of "and such" (in that it is not reloading or resetting to the default), so you should reconsider what commands you want the user to be able to do.
Below is part of the config. I have RADIUS setup to authenticate users only for the http server and only the http server. Login is working when I set the users privilege level to 15, I am trying to limit these users to non-distructive commands at a defined privilege level of 7. I want to permit them to {change interface settings, use the monitor functions}, but not be able to {reload, reset to default, use express setup, software upgrade}. The restricted users will not have any access to the console so I don't have to be as tight with the lockdown.
aaa authentication login default local aaa authentication login HTTPonly group radius aaa authorization exec default local aaa authorization exec HTTPonly group radius
ip http server ip http authentication aaa login-authentication HTTPonly ip http authentication aaa exec-authorization HTTPonly
privilege configure level 7 interface privilege exec level 7 configure terminal privilege exec level 7 show privilege exec level 7 interface privilege exec level 7 write memory
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.