Custom privilege level for CSM commands

Is there a way to creat a custom privilege level to allow a user access to only CSM config commands while in config mode?? I'm trying to allow members of our server/web team to check on the status of the web servers and to take them out of service for maintenance....and not allow them access to change any other configs on the switch.
Thanks...Jeff

Here is an exampel for enable 5
enable secret level 5
privilege slb-lam-mode-real level 5 no inservice
privilege slb-lam-mode-real level 5 inservice
privilege slb-lam-mode-real level 5 inservice standby
privilege slb-lam-mode-csm-sfarm level 5 real
privilege slb-lam-mode-csm-sfarm level 5 real name
privilege slb-lam-mode-csm level 5 server
privilege configure level 5 module csm
privilege exec level 5 conf t
privilege exec level 5 exit

Similar Messages

  • Privilege level for the commands

    Hi All,
    I am trying to modify the privilege level of the commands in my router.
    I need to understand what is the privilege level for the commands.
    Is there a command in the IOS or a link with a document on the CCO with the criteria or the list of the command and its corresponded privile level.
    Thanks
    Matteo

    Matteo
    I am not clear what it is that you are trying to do. But let me make a suggestion. While there are 16 privilege levels (0 through 15) there are two levels that are commonly used 1 and 15. 1 is what is usually called user mode and is the default level when someone first logs into the router. My suggestion is to identify what group of commands you do not want to be available in user mode, decide if they should be available in something less than 15, pick a level, and assign the commands to that level.
    If you really do want to start from a list of commands and their privilege level, I do not think that you will find any single source which will accurately give you the privilege level for all commands. The closest you will find is to look in the command reference and find the command. The command reference will usually describe the privilege level. Unfortunately I have found a few situations where the description of privilege level was not correct.
    My advice is that if you want to find the privilege level for some commands that you want to manipulate, that you get a router and try the command and determine what its privilege level is.
    HTH
    Rick

  • Change in privilege level for the command show logging

    I have recently discovered a change in behavior in IOS. The command show logging has traditionally been available at user level. Now it has become a privilege level 15 command.
    I thought that this was strange and opened a case with Cisco TAC about it. I was told that this is a new "feature" that was implemented for bugid CSCsl61281. Unfortunately this bugid is viewable by Cisco internally but not viewable by the public.
    The TAC engineer tells me that this change is integrated into these releases:
    This was integrated into the following releases:
    12.4(24.05.01)PIX11
    12.4(21.14.09)PIC01
    12.4(19.03)T
    12.2(52.23)SIN
    12.2(33)SXI01
    12.2(32.08.11)SX229
    12.2(32.08.11)SR174
    I do not think that this is a good change. If you do not think that this is a good change I suggest that you contact your Cisco support team and express your opinion about this change.
    Otherwise as you go to new versions of IOS be aware of the potential impact on your network monitoring processes and procedures that show logging will require level 15 privilege access.
    HTH
    Rick

    Hi Rick,
    Can you suggest me references to know more about privilege level commands?
    How to enable different commands for different levels of privileges?
    Thanks.
    -Sudhish

  • Privilege Level for Tacacs Account in Nexus 7000

    Hi,
    I have configured the Tacacs (ACS 4.2v) on Nexus 7000 (as mentioned below) and works fine but unlike IOS (6509) It's doesn't prompt that you are in userexec mode (>) and then need to type enable and password for full privilege.
    In n7k when I entered into "configure terminal" It won't allow me to access other commands.
    How to login into level 15 privilege mode after authenticating from tacacs
    (config)# show running-config tacacs+
    tacacs-server key 7 "xxxxx"
    tacacs-server host x.x.x.x key 7 "xxxx"
    aaa group server tacacs+ TacServer
        server x.x.x.x (same ip as tacacs-server host)
        use-vrf management
        source-interface Vlan2
    (config)# show running-config aaa
    aaa authentication login default group TacServer
    aaa authentication login console local
    aaa user default-role
    Here below are the commands accessible in "Terminal" currently
    (config)# ?
      no        Negate a command or set its defaults
      username  Configure user information.
      end       Go to exec mode
      exit      Exit from command interpreter
    isb.n7k-dcn-agg-1-sw(config)#

    Hi Jan.nielsen
    Issue is resolved but by another way.
    I have found the same resolution too of custom attirbute command but the Custom attribute Option for shell command wasn't available in ACS v4.2, so after enabling shell for users and by clicking exec--> Shell Exec and enabling priviledge level 15 in the same box of Shell options, It start working without any command

  • Default Privilege Level for ASA users authenticated by Radius or TACACS when using ASDM

    Hello,
    I'm trying to figure out what the default privilege level is for users that are authenticated to the ASA via a remote authentication server when using the ASDM.
    the command "aaa authentication http console TACACS+ LOCAL" is used in the ASA config.
    The remote server is NOT setting any privilege levels for users.  There are also no aaa authorization commands present in the config.
    So what privilege level do the users receive when they login with the ASDM?  I'm being told that the users receive admin access which includes config write, reboot, and debug.  But I cannot find any documentation stating hte default level.
    Please advise.  And providing links to cisco documentation would be great too.
    Thanks,
    Brendan

    Hi Berendan,
    Hope the below exerpt from document clarifies your query. also i have provided the link to refer.
    About Authorization
    Authorization controls access per user after users authenticate. You can configure the security appliance to authorize the following items:
    •Management commands
    •Network access
    •VPN access
    Authorization controls the services and commands available to each authenticated user. Were you not to enable authorization, authentication alone would provide the same access to services for all authenticated users.
    If you need the control that authorization provides, you can configure a broad authentication rule, and then have a detailed authorization configuration. For example, you authenticate inside users who attempt to access any server on the outside network and then limit the outside servers that a particular user can access using authorization.
    The security appliance caches the first 16 authorization requests per user, so if the user accesses the same services during the current authentication session, the security appliance does not resend the request to the authorization server.
    http://www.cisco.com/c/en/us/td/docs/security/asa/asa80/asdm60/user/guide/usrguide/aaasetup.html
    Regards
    Karthik

  • PRIVILEGE LEVELS FOR ACS WITH AD DATABASE

    How do I configure two separate privilige levels for two groups. These groups exist in the AD database i.e. my ACS (Pri & Backup) are looking in AD for authentication.

    Hi ,
    If you are using TACACS ,
    Bring users/groups in at level needed
    1. Go to user or group setup in ACS
    2. Drop down to "TACACS+ Settings"
    3. Place a check in "Shell (Exec)"
    4. Place a check in "Privilege level" and enter " priv "(1 to 15) in the adjacent field
    If you are using RADIUS,
    aaa new-model
    aaa authentication login default group radius local
    aaa authorization exec default group radius local
    radius-server host X.X.X.X key XXXX
    Following is the configuration required in the Radius Server
    The AV pair in the ACS -->group setup--> IETF RADIUS Attributes
    [006] Service-Type = Login
    /* Following is for getting the user straight in privledge mode */ to set priv 15
    The AV pair in Cisco IOS/PIX RADIUS Attributes
    [009\001] cisco-av-pair = shell:priv-lvl=15
    For more information on above commands, please refer to the following link :-
    http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsec
    ur_c/fsaaa/index.htm
    Please try the above and let me know if this helps.
    Thanks

  • Setting privilege level for logging into ASA through ACS

    Hi!,
    In my environment i implemented AAA for logging into switches, routers, asa etc through ACS which is being configured TACACS+.
    I have set different privilege levels like readonly, readwrite etc into ACS. There are working fine when i try to login into switch or router.
    But in ASA i am unable to restrict the privilege levels of different users.
    Can someone plz guide me with ASA & ACS setting to solve this issue!!!!!

    Hi!!
    I tried this option. It is working fine with routers & switches. But for ASA privilege access it is not functioning.
    I created 3 profiles in "Shared Profiles" & added 1 of them in Group setting & added users to this group with mentioning group authentication. This way i am able to control access to the switches & routers with proper privilege. But the same way when i tried to impolement ASA it's not happening.
    Can u plz check it out...

  • Aironet 1600 privilege level for MAC Filtering

       Hi,
    I want to permit from a user profile with the telnet CLI command to configure the new MAC address on the dot11 association mac-list 700
    I have create the user 14 with the followed commands:
    enable secret level 14 5 **************
    enable secret 5 **************
    privilege configure level 14 access-list
    privilege exec level 14 write memory
    privilege exec level 14 write
    privilege exec level 14 configure terminal
    privilege exec level 14 configure
    privilege exec level 14 show dot11 associations client
    privilege exec level 14 show dot11 associations
    privilege exec level 14 show dot11
    privilege exec level 14 show access-lists
    privilege exec level 14 show
    Access from login privilege 14
    1602AP16#show privile
    Current privilege level is 14
    1602AP16#show access-l
    Bridge address access list 700
        permit 100b.a965.7384   0000.0000.0000 (2 matches)
        permit 0026.c659.b182   0000.0000.0000
        permit 0019.d2c2.96c0   0000.0000.0000
    OK
    add the new MAC address
    1602AP16(config)#access-list ?                                        
      <1-99>       IP standard access list
      <100-199>    IP extended access list
      <1100-1199>  Extended 48-bit MAC address access list
      <1300-1999>  IP standard access list (expanded range)
      <200-299>    Protocol type-code access list
      <2000-2699>  IP extended access list (expanded range)
      <700-799>    48-bit MAC address access list
    1602AP16(config)#access-list 700 permit 0026.c659.b182   0000.0000.0000
                                                                   ^
    % Invalid input detected at '^' marker.
    I can open the user level 14 config and when I add the new MAC address I received the " Invalid input detected " message
    What is wrong ?
    Is it only permit at level 15 ?
    IOS version : 
    Cisco IOS Software, C1600 Software (AP1G2-K9W7-M), Version 15.2(2)JB, RELEASE SOFTWARE (fc1)
    Thank you to shared me yours comments !
    Patrick

    Hi Patric,
    Can u try this :
    privilege configure level 14 access-list
    and all other with priv 13.
    privilege exec level 13 write memory
    privilege exec level 13 write
    privilege exec level 13 configure terminal
    privilege exec level 13 configure
    privilege exec level 13 show dot11 associations client
    privilege exec level 13 show dot11 associations
    privilege exec level 13 show dot11
    privilege exec level 13 show access-lists
    privilege exec level 13 show
    and then try to configure it.
    If still fails then u must use priv 15 .
    Regards

  • Privilege level - tuning the commands

    This example allows users with level 10 privileges to configure an interface ip address...
    privilege exec level 10 configure terminal
    privilege configure level 10 interface
    privilege interface level 10 ip address
    My question is how to configure users in level 10 to ping ONLY ONE ip address..
    eg
    privilege exec level 10 ping 192.168.11.10
    But it seems that I can ping anyway?
    Router2#sh run | be privilege
    privilege interface level 10 ip address
    privilege interface level 10 ip
    privilege configure level 10 interface
    privilege configure level 10 hostname
    privilege exec level 10 ping !!!!!!!!!!!!!!!!
    privilege exec level 10 configure terminal
    privilege exec level 10 configure
    privilege exec level 10 no
    When I telnet into Router2 with the level 10 password I automatically get to the privileged mode
    and I have the following exec commands...
    Router2>en 10
    Password:
    Router2#?
    Exec commands:
    <1-99> Session number to resume
    access-enable Create a temporary Access-List entry
    access-profile Apply user-profile to interface
    clear Reset functions
    configure Enter configuration mode
    connect Open a terminal connection
    disable Turn off privileged commands
    disconnect Disconnect an existing network connection
    enable Turn on privileged commands
    exit Exit from the EXEC
    help Description of the interactive help system
    lock Lock the terminal
    login Log in as a particular user
    logout Exit from the EXEC
    modemui Start a modem-like user interface
    mrinfo Request neighbor and version information from a multicast
    router
    mstat Show statistics after multiple multicast traceroutes
    mtrace Trace reverse multicast path from destination to source
    name-connection Name an existing network connection
    no Disable debugging functions
    pad Open a X.29 PAD connection
    ping Send echo messages
    ppp Start IETF Point-to-Point Protocol (PPP)
    resume Resume an active network connection
    rlogin Open an rlogin connection
    show Show running system information
    slip Start Serial-line IP (SLIP)
    systat Display information about terminal lines
    tclquit Quit Tool Command Language shell
    telnet Open a telnet connection
    terminal Set terminal line parameters
    tn3270 Open a tn3270 connection
    traceroute Trace route to destination
    tunnel Open a tunnel connection
    udptn Open an udptn connection
    where List active connections
    x28 Become an X.28 PAD
    x3 Set X.3 parameters on PAD
    How can I select only the commands I really want from this list??
    ie how can I allow only one specific ping command?
    Thanks !

    Privilege levels can be configured on basis of commands allowed to be executed on that privilege level. It is not possible to restrict the execution of commands which are allowed based on its parameters. So you cannot make it to allow a ping to only one specific IP address and block the ping to others. You can use an access list to block ping to other IP addresses, however the access list will be applicable to all the users at any privilege level.

  • Initial privilege level for http/https login on Aironet

    When browsing to 1131 & 1242 via https, the password prompted for is level 1:
    "level_1_or_view_access"
    I would like this initial access to prompt for level 15 password or, at worst, level 2. Is there any way to change the level of initial access via http/https?
    Thanks in Advance

    To clarify, I wish to disallow web login for users with level 1 privileges.

  • User privilege level for configuration backup with PI 1.2

    We have more than 50 devices handling by PI 1.2 (testing) I like to know how to do configuration archiving with user who doesn't have write privilege.
    I tried like this.
    username john privilege 6 password cisco
    privilege exec level 6 show running-config
    (result) show run --> blank
      I tried this user with one of switch in PI 1.2. It did not do configuration backup
    username inout password inout
    username inout privilege 15 autocommand show running-config
    (result) once logged in, it automatically showed running-config. However when I tried with PI 1.2 with this user (inout). I couldn't do configuration back.
    reference
    http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a00800949d5.shtml
    so, my question is this. what is the solution for me to create certain user with read-only privilege while PI 1.2 is able to do configuration archiving ?
    thanks in advance

    7.4 MSE code will in fact require an update of Prime 1.2 to 1.3.0.20-
    It's pretty easy though and your licenses will still work from the Prime Infra side.
    Here's a link to upgrade PI to 1.3
    http://www.cisco.com/en/US/partner/docs/net_mgmt/prime/infrastructure/1.3/release/notes/cpi_rn_13.html#wp73605
    I personally would go ahead with the upgrade of both:::

  • Configure Read-Acces via user-defined privilege level

    Hello everybody,
    I´m looking for the best configuration to restrict a user to read-only. The restriction should be configured via CLI not TACACS+.
    Hardware: 3750 (probably not interesting for this question)
    Oldest IOS: 12.2(53)SE1
    The user should be allowed to:
    see the running-configuration
    trigger all kinds of show-commands
    ping and traceroute from the device
    The user should not be allowed to:
    upload/delete/rename files on the flash-memory
    get into level 15 (not sure if I can avoid this)
    all other commands despite those from level 1 and those specified above
    Can someone help me with this?
    Thanks in advance!
    I won´t forget to rate helpful posts

    Hi Tobias,
    You can
    configure  Multiple Privilege Levels  on a switch as explained below.
    By default, the Cisco IOS software has two modes of password security: user EXEC and
    privileged EXEC. You can configure up to 16 hierarchical levels of commands for each mode.
    By configuring multiple passwords, you can allow different sets of users to have access to
    specified commands.
    For example, if you want many users to have access to the clear line command, you can
    assign it level 2 security and distribute the level 2 password fairly widely. But if you
    want more restricted access to the configure command, you can assign it level 3 security
    and distribute that password to a more restricted group of users.
    Setting the Privilege Level for a Command
    Beginning in privileged EXEC mode, follow these steps to set the privilege level for a
    command mode:
         Command  Purpose 
          Step 1 
         configure terminal
         Enter global configuration mode.
          Step 2 
         privilege mode level level command
         Set the privilege level for a command.
    For mode, enter configure for global configuration mode, exec for EXEC mode, interface
    for interface configuration mode, or line for line configuration mode.
    For level, the range is from 0 to 15. Level 1 is for normal user EXEC mode privileges.
    Level 15 is the level of access permitted by the enable password.
    For command, specify the command to which you want to restrict access.
          Step 3 
         enable password level level password
         Specify the enable password for the privilege level.
      .For level, the range is from 0 to 15. Level 1 is for normal user EXEC mode privileges.
    For password, specify a string from 1 to 25 alphanumeric characters. The string cannot
    start with a number, is case sensitive, and allows spaces but ignores leading spaces. By
    default, no password is defined.
          Step 4 
         end
         Return to privileged EXEC mode.
          Step 5 
         show running-config
         or
          show privilege
         Verify your entries.
    The first command shows the password and access level configuration. The second command
    shows the privilege level configuration.
          Step 6 
         copy running-config startup-config
         (Optional) Save your entries in the configuration file.
    When you set a command to a privilege level, all commands whose syntax is a subset of that
    command are also set to that level. For example, if you set the show ip traffic command to
    level 15, the show commands and show ip commands are automatically set to privilege level
    15 unless you set them individually to different levels.
    To return to the default privilege for a given command, use the no privilege mode level
    level command global configuration command.
    This example shows how to set the configure command to privilege level 14 and define
    SecretPswd14 as the password users must enter to use level 14 commands:
    Switch(config)# privilege exec level 14 configure
    Switch(config)# enable password level 14 SecretPswd14
    Also you can change the default privilege level for all the users .
    Changing the Default Privilege Level for Lines Beginning in privileged EXEC mode, follow these steps to change the default privilege level for a line:    Command  Purpose 
    Step 1   configure terminal  Enter global configuration mode.
      Step 2   line vty line  Select the virtual terminal line on which to restrict access.
    Step 3   privilege level level  Change the default privilege level for the line.
                 For level, the range is from 0 to 15. Level 1 is for normal user EXEC mode
                 privileges. Level 15 is the level of access permitted by the enable password. 
    Step 4  end  Return to privileged EXEC mode. 
    Step 5   show running-config  or show privilege
              Verify your entries. The first command shows the password and access level configuration.
              The second command shows the privilege level configuration.
      Step 6   copy running-config startup-config  (Optional) Save your entries in the configuration file. 
    Users can override the privilege level you set using the privilege level line configuration command
    by logging in to the line and enabling a different privilege level.
    They can lower the privilege level by using the disable command.
    If users know the password to a higher privilege level, they can use that password to enable the higher privilege level. You might specify a high level or privilege level for your console line to restrict line usage. 
    To return to the default line privilege level, use the no privilege level line configuration command. Also i am sending a document for your reference.
    http://www.cisco.com/univercd/cc/td/doc/product/lan/cat3750/12225see/scg/swauthen.htm#wp1154063
    HTH
    Regards
    Inayath

  • Enable aaa accounting commands for all privilege levels?

    Here is the command's syntax:
    aaa accounting {auth-proxy | system | network | exec | connection | commands level} {default | list-name} {start-stop | stop-only | none} [broadcast] group groupname
    The "command" accounting type must include the privilege level of the commands you are logging. How do I log ALL commands?
    Take the following example:
    aaa accounting commands 15 default start-stop group mygroup
    If I issue this command will that mean commands the user executes that have a privilege level lower than 15 will not be logged? Or only commands that require exactly privilege level 15 will be logged?
    How can I log all commands regardless of privilege level?

    Hi Red,
    If you customize the command privilege level using the privilege command, you can limit which commands the appliance accounts for by specifying a minimum privilege level. The security appliance does not account for commands that are below the minimum privilege level.
    The default privilege level is 0. So if you don't specify any privilege level then all should be accounted for.
    You can find the command detail at. This is for ASA though.
    http://www.cisco.com/c/en/us/td/docs/security/asa/asa80/command/reference/cmd_ref/a1.html#wp1535253
    Regards,
    Kanwal
    Note: Please mark answers if they are helpful.

  • ASDM Privilege Level default 15 for Radius users

    So this may be a bit of a dumb question...
    I stumbled upon an ASA today that is configured to authenticate against a Radius server for SSH and HTTPS connections. If I log in via SSH, I can't gain a privilege level of more than 1 (tried login command, etc).
    However, if I log in with ASDM, I always have privilege level 15.
    Command authorization is not enabled.
    Is this default behavior. If so, why? Do I need to enable command authorization to override this behavior?
    FYI, the system in question is running ASA 8.3(1)
    Thanks much

    aaa-server RADGR protocol radius
    aaa-server RADGR host 10.2.2.2
    timeout 4
    key cisco123
    aaa authentication enable console RADGR LOCAL
    After logging in, use the enable command with your user password.
    http://www.cisco.com/en/US/partner/docs/security/asa/asa83/configuration/guide/access_management.html#wp1145571

  • What privilege level is required...

    We are looking to possibly delegate setting up AnyConnect to our Helpdesk (limited to ASDM, adding Apple UDIDs to a Access Policy.)  The question I have is what privilege level should be assigned that will allow them to add the UDID and limit (as much as possible) other changes?

    You will need to define local command authorization at custom privilege level at a level between 1-15 and assign the necessary commands to it (e.g Access-list, Configure, cmd in your example). Then assign your Helpdesk usernames that privilege level.
    I don't believe you can restrict which access-lists they can edit - that's outside the scope of what you can do with ASDM (or the cli). you'd have to move to CSM or an external portal with more role-based access control tools built-in to get that granular.
    See this section of the ASDM Configuration Guide for details.

Maybe you are looking for

  • How can I remove an older version of Creative Suite while deploying Creative Suite 6

    After you build an install package using the Adobe Application Manager Enterprise is there a way it can be deployed to upgrade an older version of Creative Suite.   In my organization we do not need both versions and I have about 100 machines to depl

  • Custom Plist to enable Remote Management in Profile Manager

    Looking to enable Remote Management via a payload in Profile Manager. Can anyone help me create the custom plist values to enable all the toggle boxes for remote management as shown below. If you can also tell me what the preference domain is, I'd gr

  • Need your help: generate report

    I have following 3 SQL scripts, they run separately as below: SQL 1: SELECT AREA_CODE,MAX(MODIFICATION_DTM) AS LATEST_DTM FROM RTP GROUP BY AREA_CODE; DESC RTP; Name               Null          Type          ID                     NOT NULL          N

  • HTTP 405 Method Not Allowed - portal30_sso.wwsso_app_admin.ls_login

    I was getting the common "no configuration found" message when I clicked on the login link from the portal homepage. So I ran the ssodatan script and now I get this error message when I try to access portal30_sso.wwsso_app_admin.ls_login: "HTTP Error

  • Back gesture broken in Mavericks

    Even since upgrading to Mavericks I have had problems with the back gesture.  I've held off on posting thinking this had to be wide spread and would be patched but over a month and no fix.  If I two finger swipe back in an application (Safari and iTu