XOS restrict CLI commands

  • 0
  • 1
  • Question
  • Updated 3 years ago
  • Answered
Is it possible to restrict the commands for an specific user on the XOS shell ?
For example that this user can only execute "disable inlinepower ..." on ethernet ports ?

PS: i know that via SNMP (tree view) it would be possible also. But we prefer CLI.

Thanks for helpful suggestions.
Photo of M.Nees

M.Nees, Embassador

  • 9,126 Points 5k badge 2x thumb

Posted 3 years ago

  • 0
  • 1
Photo of Sumit Tokle

Sumit Tokle, Alum

  • 5,738 Points 5k badge 2x thumb
Not yet.
Photo of Rahmathullah, Syed Nishath

Rahmathullah, Syed Nishath, Employee

  • 486 Points 250 badge 2x thumb
Hi Matthias,
      I checked in  documentation and tried in lab as well to see if this functionality exists, I do not see any such functionality supported till EXOS 16.1.  User accounts can be only be
1. Admin - With Read and write access
2. User - With Read only access

Do you want your requirement to be supported in later version of EXOS?

If yes, please open a service request with GTAC for feature request.

Thanks,Syed
Photo of Alexandr P

Alexandr P, Embassador

  • 11,998 Points 10k badge 2x thumb
Hi, Matthias!

You can do this when you use RADIUS server for authentication.
In RADIUS server configuration you can type commands which accept for use certain users.

But this was in EXOS less then 15.2 version.

Thank you!
Photo of M.Nees

M.Nees, Embassador

  • 9,126 Points 5k badge 2x thumb
Hi Alexandr,

can you give me an example how i can implement this ?
But why only in older versions then XOS 15.2 ? We using X450-G2 with XOS 16.1.1.4.

Regards
Photo of Alexandr P

Alexandr P, Embassador

  • 11,998 Points 10k badge 2x thumb
Matthias!

I don't really remember - it's was a lot time ago, but I remember that as server used Cisco's TACACS server (ACS). ACS have configuration for accepted for use commands:





Thank you!
Photo of M.Nees

M.Nees, Embassador

  • 9,126 Points 5k badge 2x thumb
OK - Cisco ACS (incl. TACACs) is no choice for me ... It seems it is with XOS CLI not possible. So snmp with restricted SNMP views is the only way to get it.
Photo of Frank

Frank

  • 3,662 Points 3k badge 2x thumb
We're using Shrubbery's tac_plus (http://www.shrubbery.net/tac_plus/) TACACS+ implementation on a linux box to do authentication (against our AD domain via ldap) , command logging, and access restrictions. Just in case that the "no choice" boils down to "feeding money to Cisco"
Tacacs works with all the 15.5.* firmware versions that we have.

Sorry, it's been a while since I touched anything Radius - I'm not sure where to grab a free/GPL/etc implementation anymore