Extreme Networks

M_Nees · ‎11-27-2015

Is it possible to restrict the commands for an specific user on the XOS shell ?
For example that this user can only execute "disable inlinepower ..." on ethernet ports ?

PS: i know that via SNMP (tree view) it would be possible also. But we prefer CLI.

Thanks for helpful suggestions.

Frank · ‎11-30-2015

We're using Shrubbery's tac_plus (http://www.shrubbery.net/tac_plus/) TACACS+ implementation on a linux box to do authentication (against our AD domain via ldap) , command logging, and access restrictions. Just in case that the "no choice" boils down to "feeding money to Cisco"
Tacacs works with all the 15.5.* firmware versions that we have.

Sorry, it's been a while since I touched anything Radius - I'm not sure where to grab a free/GPL/etc implementation anymore

M_Nees · ‎11-30-2015

OK - Cisco ACS (incl. TACACs) is no choice for me ... It seems it is with XOS CLI not possible. So snmp with restricted SNMP views is the only way to get it.

Alexandr_P · ‎11-30-2015

Matthias!

I don't really remember - it's was a lot time ago, but I remember that as server used Cisco's TACACS server (ACS). ACS have configuration for accepted for use commands:

29fba55f3e91475089e376d665455ef2_RackMultipart20151130-11716-wwrfl0-1_inline.png

29fba55f3e91475089e376d665455ef2_RackMultipart20151130-6510-1fm50td-2_inline.png

29fba55f3e91475089e376d665455ef2_RackMultipart20151130-6762-1palxbw-3_inline.png

29fba55f3e91475089e376d665455ef2_RackMultipart20151130-18020-87qvfh-4_inline.png

Thank you!

M_Nees · ‎11-30-2015

Hi Alexandr,

can you give me an example how i can implement this ?
But why only in older versions then XOS 15.2 ? We using X450-G2 with XOS 16.1.1.4.

Regards

Extreme Networks

XOS restrict CLI commands

XOS restrict CLI commands