cancel
Showing results for 
Search instead for 
Did you mean: 

XOS restrict CLI commands

XOS restrict CLI commands

M_Nees
Contributor III
Is it possible to restrict the commands for an specific user on the XOS shell ?
For example that this user can only execute "disable inlinepower ..." on ethernet ports ?

PS: i know that via SNMP (tree view) it would be possible also. But we prefer CLI.

Thanks for helpful suggestions.
7 REPLIES 7

Frank
Contributor
We're using Shrubbery's tac_plus (http://www.shrubbery.net/tac_plus/) TACACS+ implementation on a linux box to do authentication (against our AD domain via ldap) , command logging, and access restrictions. Just in case that the "no choice" boils down to "feeding money to Cisco"
Tacacs works with all the 15.5.* firmware versions that we have.

Sorry, it's been a while since I touched anything Radius - I'm not sure where to grab a free/GPL/etc implementation anymore

M_Nees
Contributor III
OK - Cisco ACS (incl. TACACs) is no choice for me ... It seems it is with XOS CLI not possible. So snmp with restricted SNMP views is the only way to get it.

Alexandr_P
Valued Contributor
Matthias!

I don't really remember - it's was a lot time ago, but I remember that as server used Cisco's TACACS server (ACS). ACS have configuration for accepted for use commands:

29fba55f3e91475089e376d665455ef2_RackMultipart20151130-11716-wwrfl0-1_inline.png


29fba55f3e91475089e376d665455ef2_RackMultipart20151130-6510-1fm50td-2_inline.png


29fba55f3e91475089e376d665455ef2_RackMultipart20151130-6762-1palxbw-3_inline.png


29fba55f3e91475089e376d665455ef2_RackMultipart20151130-18020-87qvfh-4_inline.png



Thank you!

M_Nees
Contributor III
Hi Alexandr,

can you give me an example how i can implement this ?
But why only in older versions then XOS 15.2 ? We using X450-G2 with XOS 16.1.1.4.

Regards
GTM-P2G8KFN