Some scenarios require users to have console access but not complete console access. In these situations, configuring the router to grant limited access is helpful. This lab will review how users are granted rights, more specifically the extended ping.
Step 1 - Configuring Extended Ping for User, Elliot
User, Elliot is created with password, toor. Elliot doesn't need privilege 15 rights that could allow global mode access or the command, configure terminal. However, Elliot does need privilege level 7 and extended ping. To do this the command will process from enabling privilege level 7 with extended ping, then create user, Elliot, and finally show run to see that Elliot is associated with level 7 and extended ping.
From the R-1 Router:
configure terminal
privilege exec level 7 ping
username elliot secret toor
username elliot privilege 7
do show run | inc username
Step 2 - Showing the Autocommand Function
The autocommand function limits Elliot to log into the router and only perform extended ping. Once ping is complete, Elliot is kicked out of the terminal. This requires Elliot to log back in after performing the extended ping.
While still at global mode, the configurations will first enable autocommand. Then Elliot will telnet into the router's ASAv facing interface G0/1 10.1.0.1. Once telnet is a success, extended ping is available. The ping test will point to the inside ASAv interface with IP 10.1.0.250. Once completed, notice that Elliot is kicked immediately out due to autocommand. This is also verified via who. If Elliot were still logged into the terminal, Elliot's username would show under the who command. Then write is issued to save running the configuration.
username elliot autocommand ping
end
telnet 10.1.0.1
elliot
toor
[enter for protocol]
10.1.0.250
[enter for the rest of extended ping setup]
who
write
Step 3 - Introducing Nohangup
Nohangup allows Elliot to have a suspended session in the terminal without being completely booted after the extended ping. After Elliot finishes the extended ping, he can retype his username and password again, instead of having to telnet again.
Once nohangup is configured and exampled, notice how when the ping completes, the user prompt comes back.
configure terminal
username elliot nohangup
end
telnet 10.1.0.1
elliot
toor
[enter for protocol]
10.1.0.250
[enter for the rest of extended ping setup]
[notice how username pops up, instead of going back to the R1# prompt]
Step 4 - Configuring Elliot for Privilege 7 Only
Elliot will no longer be limited to extended ping and the be kicked back out. The next commands will allow Elliot to access level 7 privilege - meaning Elliot will still be able to use extended ping (which can't be used with level 1 privilege) but level 7 will not allow Elliot to configure terminal. After this is configured the configured is saved.
do show run | inc elliot
no username elliot
[enter to confirm]
username elliot privilege 7 secret toor
end
show run | inc elliot
telnet 10.1.0.1
elliot
toor
who
exit
write
No comments:
Post a Comment