Re: 6500's privileges to tech's

pipsadmin · ‎06-23-2008

Hi all,

Wondering how to implement this:

I have a few techs that need access to the switches to view port configurations.

Although I DO NOT want to give them the enable password.

How can I setup a differente enable password and give them only VIEW (a.k.a. Show) capabilities?

Thanks for your help.

Collin Clark · ‎06-23-2008

Use AAA and assign privilege levels to user accounts.

http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_cfg_sec_4cli.html

Hope that helps

pipsadmin · ‎06-23-2008

If the Tech's know what the Enabled password is, is there a way to block them from actualy typing 'enable' ?

Collin Clark · ‎06-23-2008

Yes, well actually they can type it, but they will get an error back.

*There are multiple ways to configure privilege levels and depending on how YOU do it, will depends on the results.

pipsadmin · ‎06-23-2008

ok, can't seem to figure out how to restrict access to the 'enable' ...

I have a username created with privilege level 2, I dont want him to be able to enter enable as he knows the enabled password...

How do I do this?

I only want this user to do show commands... that's it.

Collin Clark · ‎06-23-2008

In AAA you need to configure Authorization. If you want to use local authentication and privilege levels, you have to "move" the commands to level 2 and then change the enable password.