cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1902
Views
0
Helpful
3
Replies

How to allow IOS local user with privilege 1 to change password

dennis_chiho
Level 1
Level 1

How should I configure my IOS switch to let local user with privilege 1 to change their own password? Thank you!

 

1 Accepted Solution

Accepted Solutions

Mike.Cifelli
VIP Alumni
VIP Alumni

Sweet. As expected.  The hope here would be the priv 1 user only knows his user name (I know not the best idea), but the solution provided does work.  IMHO you should seek to use some sort of external authentication provider via ISE/AD/LDAP/etc.  Then you would not have to worry about this run config modification.  Your last option would be to have the user work with the net admin and have him manually set the pw for this priv 1 user.  Cheers.

View solution in original post

3 Replies 3

Mike.Cifelli
VIP Alumni
VIP Alumni

FYSA Level 1 = Read-only, and access to limited commands. You can't make any changes or view the running configuration file by default.

 

However, you have the ability to add commands.  For your scenario add the following to run-config:
#privilege exec level 1 configure terminal
#privilege configure level 1 username <your level 1 username> password

 

Then with the priv 1 user test the following:

>configure terminal

(config)>username <your level 1 username> password <NEW PASSWORD>

(config)>exit

>exit

Login with same priv 1 user and new PASS

 

Let us know result

dennis_chiho
Level 1
Level 1

Dear Mike,

 

#privilege configure level 1 username <your level 1 username> password

 

I tested your commands, I found if I configure above command, the level user would be able to change his own password and other users' password. The level 1 user would have the full right for the command <username> .  If I perform "show run" after configured the command above, the running config output would only have "privilege configure level 1 username"

 

 

Mike.Cifelli
VIP Alumni
VIP Alumni

Sweet. As expected.  The hope here would be the priv 1 user only knows his user name (I know not the best idea), but the solution provided does work.  IMHO you should seek to use some sort of external authentication provider via ISE/AD/LDAP/etc.  Then you would not have to worry about this run config modification.  Your last option would be to have the user work with the net admin and have him manually set the pw for this priv 1 user.  Cheers.