03-19-2008 10:38 AM - edited 03-10-2019 03:44 PM
Using new model aaa with local users on recent IOS, can I let a user do everything except run the "enable" command to enter privileged mode?
Then a read-only user would be unable to enable even if they knew the enable secret, and admins would need two passwords to change things.
Thanks.
Paul
Solved! Go to Solution.
03-19-2008 11:29 AM
Paul,
Please check this link,
http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a00800949d5.shtml
Regards,
~JG
Do rate helpful posts
03-19-2008 11:29 AM
Paul,
Please check this link,
http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a00800949d5.shtml
Regards,
~JG
Do rate helpful posts
03-19-2008 04:16 PM
Thanks, JG. I may have learned something trying to apply the info:
Best I can tell, in the IOS security model, a user defined as privilege 15 is NOT at 15 when they first log in, but at 1. They must enter enable and reenter their password to reach 15. (True??)
So to "disable enable" I must
- create a user at priv 0
- add the show commands to priv 0
- and elevate "enable" to priv 1
I think.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide