Thursday, September 3, 2009
Privilege command for Cisco IOS CAT 3750/3560/3550
Below is the command sample for privilege commands.
enable secret level 2 poweruser -> Creates enable password "poweruser" as the enable 2 password
privilege exec level 2 config t -> Allows the use of "config t" for level 2 user
privilege exec level 2 show run -> Allows the use of "show run" for level 2 user
privilege exec level 2 write mem -> Allows the use of "write mem" for level 2 user saving changes
privilege configure level 2 interface -> Allows the use of "interface command" for level 2 user in config mode
privilege interface level 2 description -> Allows the use of "description command" for level 2 user in config mode
The commands below allows the user to change speed and duplex of an interface in config mode
privilege interface level 2 speed 10
privilege interface level 2 speed 100
privilege interface level 2 speed auto
privilege interface level 2 duplex half
privilege interface level 2 duplex full
privilege interface level 2 duplex auto
The commands below allows the user to change VLANs of an interface in config mode
privilege interface level 2 switchport access vlan
The command below allows the user to shutdown an interface in config mode
privilege interface level 2 shutdown
The commands below allows the user to set the portfast to an interface in config mode
privilege interface level 2 spanning-tree portfast
You can pretty much add the commands that you would like them to be able to access.
All we did was to create another enable password level 2. So when you login to the switch instead of using just enable, you will type " enable 2" and the password will be "poweruser"
After you enable the privilege commands you can also enable Archive this will allow you to see changes made on the switch by a user.
archive
log config
logging enable
logging size 200
notify syslog contenttype plaintext
hidekeys
- To show the arcvhive list
show archive log config all
- To clear the archive list
clear archive log config
Now let check the configuration
rbautista_adm know the regular enable password and rbautista only knows the enable 2 password
Below I can change the hostname since I have the access to everything.
Below rbautista logs in using enable 2 password
The user that uses enable 2 password cannot change the hostname of the switch because hostname command is not listed on his access.
He also have no access to show archive. Now lets login using the regular enable with rbautista_adm.
As you can see the changes I made was listed above. You can also clear the archive logs if it gets full. We set it up to have 200 queue length default is 100 maximum queue length is 1000.
Note: Don't get confuse with rbautista_adm and rbautista. I can log in as rbautista_adm but if I use the enable 2 password I still have only access to commands we made available.
Our network closets.
This closet was one of the first closet I ever built with 3 3750G all stacked together.
Before closet cleanup
After. We upgraded our 3500XL end of life switches with CAT 3560G's.
We plugged in everything from patch panel port to switch ports hoping that we can control it not having other people plugging anything to our switches.
Below are other network closets that we setup.
2 CAT3750 G switches stacked together.
Please feel free to add any comments or suggestions on how you do your network closets.
Enabling Radius authentication with Cisco IOS switches (3750/3560/3550/3500XL) using IAS on Microsoft 2003 server.
In Windows Server under administration tools click on Internet Authentication Service.
Right click on RADIUS Clients and click on “new RADIUS client” enter a friendly name and Client address. Click Next.
Type the shared secret password. You will need this later when you configure the Cisco switch. I used cisco as the shared secret for this example. Click finish and you should have this client added to your radius clients.
Login to 1.1.1.1 which is the IP address you added in IAS
from the Cisco switch configuration terminal enter the command below
aaa new-model
aaa authentication login RADIUS group radius line
radius-server host 192.168.1.200 auth-port 1645 acct-port 1646 key cisco
(Note: host is the ip address of your radius server and key is the shared secret key we entered from the Radius server when we created the client) If you have multiple radius servers you can add another one as a back up. Make sure that all the Radius servers are configured to accept request from all the radius clients.
line vty 0 4
login authentication RADIUS
line vty 5 15
password cisco
(Note: if for some reason the switch cannot get to the radius server you will be ask for the telnet password)
Log out and telnet to the switch you should get prompted for a username and password.
Next time I will show you how to add privilege commands to allow power users certain commands without the use of Cisco ACS.