Solved: setting up username/password on 3600

jjadryev · ‎05-08-2003

I am wondering if anyone can help me setup some sort of username/password feature. For accountability reasons, I would like to be able to setup different usernames and passwords for all the engineers here. Right now all we do is telnet in and put the passwords in. I want to be able to track and possibly limit the powers of certain users instead of just having everyone use the same pass and enable pass.

Thanks!

mhoda · ‎05-11-2003

What you are trying to do is possible with AAA authorization. For that on the router these are the AAA commands required:

aaa new-model

aaa authentication login default [group] local

aaa authorization exec default [group] local

Before you enter these, plese make sure to create the local user database as follows:

username level_zero privilege 0 password zero

username basic_user privilege 1 password one

username admin privilege 15 password admin

With the above setup, user level_zero can execute only disable, enable, exit, help, and logout commands.

User basic_user can execute all the level 0 and level 1 commands.

User admin can execute all the commands on the router.

On the router these are the 3 level of default commands:

-privilege level 0 — includes the disable, enable, exit, help, and logout commands

- privilege level 1 — normal level on Telnet; includes all user-level commands at the router> prompt

- privilege level 15 — includes all enable-level commands at the router#

prompt

Now based on your requirement, you can create a priv level bewteen 2-14 and assign any priv level 15 commands (level 0 and 1 would be inherited by default). Here is an example:

username six privilege 6 password 0 six

With this, user six is only able to execute all the level 0 & 1 commands. If the user need to execute "config t" on the router, he has to add the following line to add this level 15 commans to level 6.

privilege exec level 6 configure terminal

I hope this helps ! Please be aware of the "show running-config" though. For a better understanding of this special behavior of this command please refer to the following link:

http://www.cisco.com/warp/public/63/showrun.shtml

Mynul

View solution in original post

makchitale · ‎05-08-2003

It appears that you are looking for setting privilege levels for different users, basically limiting what config changes / show commands / debugs a particular engineer can execute....correct?

http://www.cisco.com/warp/public/63/showrun.shtml

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t13/ftprienh.htm#79472

http://www.cisco.com/warp/public/480/PRIV.html

However we cannot do accounting locally on the router, the best we can do is see how long an active call has been connected for...an external AAA server should be able to do that.

http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121newft/121t/121t3/dt_aaara.htm

Thanks, Mak.

jjadryev · ‎05-09-2003

Actually, let me see if i can simplify my question. I want to create different users. sort of like an NT account. i want to create users that have basic rights and admin rights. is this at all possible?

mhoda · ‎05-11-2003

What you are trying to do is possible with AAA authorization. For that on the router these are the AAA commands required:

aaa new-model

aaa authentication login default [group] local

aaa authorization exec default [group] local

Before you enter these, plese make sure to create the local user database as follows:

username level_zero privilege 0 password zero

username basic_user privilege 1 password one

username admin privilege 15 password admin

With the above setup, user level_zero can execute only disable, enable, exit, help, and logout commands.

User basic_user can execute all the level 0 and level 1 commands.

User admin can execute all the commands on the router.

On the router these are the 3 level of default commands:

-privilege level 0 — includes the disable, enable, exit, help, and logout commands

- privilege level 1 — normal level on Telnet; includes all user-level commands at the router> prompt

- privilege level 15 — includes all enable-level commands at the router#

prompt

Now based on your requirement, you can create a priv level bewteen 2-14 and assign any priv level 15 commands (level 0 and 1 would be inherited by default). Here is an example:

username six privilege 6 password 0 six

With this, user six is only able to execute all the level 0 & 1 commands. If the user need to execute "config t" on the router, he has to add the following line to add this level 15 commans to level 6.

privilege exec level 6 configure terminal

I hope this helps ! Please be aware of the "show running-config" though. For a better understanding of this special behavior of this command please refer to the following link:

http://www.cisco.com/warp/public/63/showrun.shtml

Mynul

jjadryev · ‎05-12-2003

Thanks alot for your help man. This is EXACTLY what I was looking for!

You rock!!

aandrade · ‎06-03-2003

Hi i tried to setup this "show running-config" link and it works just fine on a 7200VXR with c7200-is-mz.122-16a-4.bin but did not work with all 1760,s on my network with ios c1700-sv3y-mz.122-2.XK2.bin, do you think this is bug on the ios ? what is happening is that it always ask for enable password and never goes directly to execute the "show running" command.

thanks for your help

Adalberto Andrade

mhoda · ‎06-07-2003

Hi,

Are you sure you have the following line?

aaa authorization exec default [group] local

If not, you will need this line. If possible, please share only the aaa portion of the config from your router. It can be a bug, but lets first make sure that we have all the required commands.

Thanks,

Mynul