Header Only - DO NOT REMOVE - Extreme Networks

XOS restrict CLI commands


Userlevel 6
Is it possible to restrict the commands for an specific user on the XOS shell ?
For example that this user can only execute "disable inlinepower ..." on ethernet ports ?

PS: i know that via SNMP (tree view) it would be possible also. But we prefer CLI.

Thanks for helpful suggestions.

7 replies

Userlevel 4
Not yet.
Userlevel 2
Hi Matthias,
I checked in documentation and tried in lab as well to see if this functionality exists, I do not see any such functionality supported till EXOS 16.1. User accounts can be only be
1. Admin - With Read and write access
2. User - With Read only access

Do you want your requirement to be supported in later version of EXOS?

If yes, please open a service request with GTAC for feature request.

Thanks,Syed
Userlevel 6
Hi, Matthias!

You can do this when you use RADIUS server for authentication.
In RADIUS server configuration you can type commands which accept for use certain users.

But this was in EXOS less then 15.2 version.

Thank you!
Userlevel 6
Hi Alexandr,

can you give me an example how i can implement this ?
But why only in older versions then XOS 15.2 ? We using X450-G2 with XOS 16.1.1.4.

Regards
Userlevel 6
Matthias!

I don't really remember - it's was a lot time ago, but I remember that as server used Cisco's TACACS server (ACS). ACS have configuration for accepted for use commands:






Thank you!
Userlevel 6
OK - Cisco ACS (incl. TACACs) is no choice for me ... It seems it is with XOS CLI not possible. So snmp with restricted SNMP views is the only way to get it.
Userlevel 5
We're using Shrubbery's tac_plus (http://www.shrubbery.net/tac_plus/) TACACS+ implementation on a linux box to do authentication (against our AD domain via ldap) , command logging, and access restrictions. Just in case that the "no choice" boils down to "feeding money to Cisco"
Tacacs works with all the 15.5.* firmware versions that we have.

Sorry, it's been a while since I touched anything Radius - I'm not sure where to grab a free/GPL/etc implementation anymore

Reply