Posted on October 30, 2013 11:42 pm
 |  Asked by Addison Chi
Print Friendly, PDF & Email

How to restrict a user to only run “show run” if he is logged in via ssh?

Posted by Addison Chi
Answered on October 30, 2013 11:44 pm

Any user specific restricted commands (e.g. show run) need to be configured on the TACACS+/Radius server. You also need to configure AAA on your switch in order to restrict specific command once a user has logged in.

AAA is extensively covered in Section 4 of our EOS config guide, which can be found here.

The following simple example shows how you can restrict user access to the device and authorise and record any changes made to the device:

  • - configure a TACACS or Radius server for AAA; this is on the TACACS/Radius server where you would restrict the show run command by username
  • tacacs-server host key test
  • - authenticate any users logging into the switch
  • aaa authentication login default group tacacs+ local
  • - authenticate the user for the enable password
  • aaa authentication enable default group tacacs+ local
  • - authorise any commands with the TACACS server fiirst and then the local user database
  • aaa authorization commands all group tacacs+{group name} local
  • - record any commands the user may have entered on the switch
  • aaa accounting commands all group tacacs+ default start-stop group tacacs+

Post your Answer

You must be logged in to post an answer.