05-25-2006 01:11 AM - edited 03-10-2019 02:36 PM
Hello all. Hopefully, this will prove to be an easy question with a simple answer!
I want to configure local username/passwords on my router, with different privilege levels. For example username admin is only allowed to access privilege level 1 commands, and username engineer is allowed to enter all comands (level 15). However, when I test this via console or telnet, both go into user mode to start with (Router>) and I can enter enable mode on both username logins by entering the enable password (Router#). Therefore, both username's have the same access rights (to all commands) even though they have different privilege levels. I thought the privilege level 1 account would not be allowed to issue level15 commands?
Can anyone point me in the right direction.....
!
aaa new-model
aaa authentication login default local
aaa authorization commands 1 default local
aaa authorization commands 15 default local
enable secret test
!
username admin privilege 1 password cisco1
username engineer privilege 15 password cisco2
!
Thanks.
05-25-2006 07:53 AM
Darren
It seems to me that there is a fairly simple solution to your situation: do not give the enable password to users who should be restricted to level 1 commands.
No matter what privilege level they start at, anyone who can enter the correct enable password (or enable secret) will gain level 15 access.
HTH
Rick
05-25-2006 08:03 AM
Thanks Rick for the response. Like you say, there is a simple solution, but it makes me wonder why would you want to configure a privilege level if it doesn't have any effect?
Or does it have its uses elsewhere.....
06-21-2006 01:57 PM
Just typing enable defaults to enable 15
Careful look at the following commands should answer your question
Router6>enable ?
<0-15> Enable level
Router6(config)#enable password ?
0 Specifies an UNENCRYPTED password will follow
7 Specifies a HIDDEN password will follow
LINE The UNENCRYPTED (cleartext) 'enable' password
level Set exec level password
Router6(config)#enable password le
Router6(config)#enable password level ?
<1-15> Level number
Victor
07-06-2006 10:56 AM
Is your ACS server configured with advanced tacacs+ settings? If so, under user setup, you can select "No enable privilege". They will not be allowed to enter enable mode even if they enter the correct password. With regard to local usernames and passwords, it only states what level they can start at. If they know the enable password, then they can get to enable mode.
07-07-2006 01:32 AM
Darren,
The privilege levels are used when you do not want to give full level 15 access to someone but only some commands.
For example you may want a tech. to be able to change the bandwidth of an interface and nothing else. So we reduce the privilege level of the interface bandwidth command to say 10 and give the tech level 10 access.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide