05-08-2003 11:43 AM - edited 03-10-2019 07:17 AM
I am wondering if anyone can help me setup some sort of username/password feature. For accountability reasons, I would like to be able to setup different usernames and passwords for all the engineers here. Right now all we do is telnet in and put the passwords in. I want to be able to track and possibly limit the powers of certain users instead of just having everyone use the same pass and enable pass.
Thanks!
Solved! Go to Solution.
05-11-2003 10:29 AM
What you are trying to do is possible with AAA authorization. For that on the router these are the AAA commands required:
aaa new-model
aaa authentication login default [group] local
aaa authorization exec default [group] local
Before you enter these, plese make sure to create the local user database as follows:
username level_zero privilege 0 password zero
username basic_user privilege 1 password one
username admin privilege 15 password admin
With the above setup, user level_zero can execute only disable, enable, exit, help, and logout commands.
User basic_user can execute all the level 0 and level 1 commands.
User admin can execute all the commands on the router.
On the router these are the 3 level of default commands:
-privilege level 0 includes the disable, enable, exit, help, and logout commands
- privilege level 1 normal level on Telnet; includes all user-level commands at the router> prompt
- privilege level 15 includes all enable-level commands at the router#
prompt
Now based on your requirement, you can create a priv level bewteen 2-14 and assign any priv level 15 commands (level 0 and 1 would be inherited by default). Here is an example:
username six privilege 6 password 0 six
With this, user six is only able to execute all the level 0 & 1 commands. If the user need to execute "config t" on the router, he has to add the following line to add this level 15 commans to level 6.
privilege exec level 6 configure terminal
I hope this helps ! Please be aware of the "show running-config" though. For a better understanding of this special behavior of this command please refer to the following link:
http://www.cisco.com/warp/public/63/showrun.shtml
Mynul
05-08-2003 08:24 PM
It appears that you are looking for setting privilege levels for different users, basically limiting what config changes / show commands / debugs a particular engineer can execute....correct?
http://www.cisco.com/warp/public/63/showrun.shtml
http://www.cisco.com/warp/public/480/PRIV.html
However we cannot do accounting locally on the router, the best we can do is see how long an active call has been connected for...an external AAA server should be able to do that.
http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121newft/121t/121t3/dt_aaara.htm
Thanks, Mak.
05-09-2003 05:51 AM
Actually, let me see if i can simplify my question. I want to create different users. sort of like an NT account. i want to create users that have basic rights and admin rights. is this at all possible?
05-11-2003 10:29 AM
What you are trying to do is possible with AAA authorization. For that on the router these are the AAA commands required:
aaa new-model
aaa authentication login default [group] local
aaa authorization exec default [group] local
Before you enter these, plese make sure to create the local user database as follows:
username level_zero privilege 0 password zero
username basic_user privilege 1 password one
username admin privilege 15 password admin
With the above setup, user level_zero can execute only disable, enable, exit, help, and logout commands.
User basic_user can execute all the level 0 and level 1 commands.
User admin can execute all the commands on the router.
On the router these are the 3 level of default commands:
-privilege level 0 includes the disable, enable, exit, help, and logout commands
- privilege level 1 normal level on Telnet; includes all user-level commands at the router> prompt
- privilege level 15 includes all enable-level commands at the router#
prompt
Now based on your requirement, you can create a priv level bewteen 2-14 and assign any priv level 15 commands (level 0 and 1 would be inherited by default). Here is an example:
username six privilege 6 password 0 six
With this, user six is only able to execute all the level 0 & 1 commands. If the user need to execute "config t" on the router, he has to add the following line to add this level 15 commans to level 6.
privilege exec level 6 configure terminal
I hope this helps ! Please be aware of the "show running-config" though. For a better understanding of this special behavior of this command please refer to the following link:
http://www.cisco.com/warp/public/63/showrun.shtml
Mynul
05-12-2003 07:16 AM
Thanks alot for your help man. This is EXACTLY what I was looking for!
You rock!!
06-03-2003 10:47 AM
Hi i tried to setup this "show running-config" link and it works just fine on a 7200VXR with c7200-is-mz.122-16a-4.bin but did not work with all 1760,s on my network with ios c1700-sv3y-mz.122-2.XK2.bin, do you think this is bug on the ios ? what is happening is that it always ask for enable password and never goes directly to execute the "show running" command.
thanks for your help
Adalberto Andrade
06-07-2003 12:19 PM
Hi,
Are you sure you have the following line?
aaa authorization exec default [group] local
If not, you will need this line. If possible, please share only the aaa portion of the config from your router. It can be a bug, but lets first make sure that we have all the required commands.
Thanks,
Mynul
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide