https://community.cisco.com/t5/network-access-control/disabling-enable/m-p/988651#M407367 <P>Using new model aaa with local users on recent IOS, can I let a user do everything except run the "enable" command to enter privileged mode?</P><P></P><P>Then a read-only user would be unable to enable even if they knew the enable secret, and admins would need two passwords to change things.</P><P></P><P>Thanks.</P><P></P><P>Paul</P> Sun, 10 Mar 2019 22:44:04 GMT pnicolette 2019-03-10T22:44:04Z https://community.cisco.com/t5/network-access-control/disabling-enable/m-p/988651#M407367 <P>Using new model aaa with local users on recent IOS, can I let a user do everything except run the "enable" command to enter privileged mode?</P><P></P><P>Then a read-only user would be unable to enable even if they knew the enable secret, and admins would need two passwords to change things.</P><P></P><P>Thanks.</P><P></P><P>Paul</P> Sun, 10 Mar 2019 22:44:04 GMT https://community.cisco.com/t5/network-access-control/disabling-enable/m-p/988651#M407367 pnicolette 2019-03-10T22:44:04Z https://community.cisco.com/t5/network-access-control/disabling-enable/m-p/988652#M407368 <HTML><HEAD></HEAD><BODY><P>Paul,</P><P>Please check this link,</P><P></P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a00800949d5.shtml" target="_blank">http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a00800949d5.shtml</A></P><P></P><P></P><P>Regards,</P><P>~JG</P><P></P><P>Do rate helpful posts</P></BODY></HTML> Wed, 19 Mar 2008 18:29:59 GMT https://community.cisco.com/t5/network-access-control/disabling-enable/m-p/988652#M407368 Jagdeep Gambhir 2008-03-19T18:29:59Z https://community.cisco.com/t5/network-access-control/disabling-enable/m-p/988653#M407369 <HTML><HEAD></HEAD><BODY><P>Thanks, JG. I may have learned something trying to apply the info:</P><P></P><P>Best I can tell, in the IOS security model, a user defined as privilege 15 is NOT at 15 when they first log in, but at 1. They must enter <B>enable</B> and reenter their password to reach 15. (True??)</P><P></P><P>So to "disable enable" I must</P><P></P><P> - create a user at priv 0</P><P> - add the show commands to priv 0</P><P> - and elevate "enable" to priv 1</P><P></P><P>I think.</P></BODY></HTML> Wed, 19 Mar 2008 23:16:07 GMT https://community.cisco.com/t5/network-access-control/disabling-enable/m-p/988653#M407369 pnicolette 2008-03-19T23:16:07Z