In my previous post CISCO IOS privilege levels i denoted how user access to specific commands can be controlled by making use of CISCO privilege levels. Another tool available in the CISCO arsenal is the use of menus.
By making use of the menu command access can be limited to the commands explicitly made available on the menu only.
To apply menu access to a particular user login simply apply the following config where RICH is the name of the menu to be invoked upon login.
user x password y
user z autocommand menu RICH
line vty 0 4
login local
Unless configuring menus is something that you do day to day, or you have a desire to master this subject my thoughts on creating the menus is to refer to the CISCO doc cd and crib the syntax from there.
http://www.cisco.com/en/US/docs/ios/12_2/configfun/configuration/guide/fcf004.html#wp1002212
The example given is
menu new title ^C
Telnet Menu
^C
menu new prompt ^C
Please enter your selection: ^C
menu new text 1 telnet system1
menu new command 1 telnet system1
menu new options 1 pause
menu new text 2 telnet system2
menu new command 2 telnet system2
menu new options 2 pause
menu new text b telnet systemblue
menu new command b telnet systemblue
menu new options b pause
menu new text me show user
menu new command me show user
menu new options me pause
menu new command here show version
menu new text Exit Exit
menu new command Exit menu-exit
menu new clear-screen
menu new status-line
menu new default me
Invoking the above config gives the following menu
C
Telnet Menu
1 telnet system1
2 telnet system2
b telnet systemblue
me show user
Exit Exit
C
One hidden command 'show version' is available in this menu. This can be invoked by entering the text 'here'.
One point on this doc cd example i didnt like was the Exit command. Once entered it returns the user to the command prompt! In a real world scenario i would suggest this needs to be changed to exit the router.
This leads me to another point. After applying the following config.....
no menu new command Exit menu-exit
menu new command Exit exit
I found the first command no menu new command Exit menu-exit had in fact removed the whole menu! Hence before attempting any mods on a menu save in notepad first! Once reapplying the config with this modified command it had the desired effect - upon exiting the menu the users telnet session is terminated.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment