Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1175
Views
0
Helpful
1
Replies

Meaning of PRIVILEGE parameter in command USERNAME unclear

CarinaGoosmannHenke
Level 1
Level 1

‎01-10-2014 07:35 AM - edited ‎02-21-2020 05:05 AM

Hello,

for a CISCO 2955 Switch I used the PRIVILEGE parameter in command USERNAME to achieve that a user directly enters respective privilege level after logon. But after logon the user is always in EXEC LEVEL 1 and not in the level stated in the command USERNAME. Also the user is not limited to the stated level: He can enter all other levels up to 15 if he has the respective pw.

1. So I do not understand the meaning of PRIVILEGE parameter in command USERNAME. Or, to ask the other way arround: How could one achieve that a user directly enters to his assigned privilege level after logon and, by doing this, get directly to the set of commands he is allowed to execute?

Thanks for any hint.

Regards CGH

0 Helpful
1 Reply 1

pgasparovic
Level 1
Level 1

‎11-13-2014 08:15 AM

Hi Carina,

I'm not providing you with right answer now, but exactly these days I have been looking for more insight on how to setup local AAA plus privilege variations, and got some useful knowledge..

I think that in your case the fundamental question is how you do access the switch (router).. I estimate you do via console, don't you? If yes, then this happens everywhere. You must define specific enable secrets for privilege levels (when other than 15), then set required user cmd set with "privilege" cmd of level not higher than your user one, and finally jumping into that level by "en X" to access it. It should work.. Actually, I wanted to test it quickly to refresh the topic, but our lab access is under maintenance at the moment.. Also to set some starting level other than 1, there should be some "privilege X" cmd attainable right under "con 0" interface.

 

Interesting topics discussed at :

https://learningnetwork.cisco.com/thread/32180

http://resources.intenseschool.com/ccna-security-solutions-to-facs-enable-secret-and-privilege-levels/

 

-------

EDIT after 1 hour :

My lab access got re-established, and this single command will do the job for you "aaa authorization console".

Each user in local database will jump directly to priv mode of assigned level. Same happens with VTY access (wo AAA). If AAA is used,  the jump is typically assured by known trio "newmodel, aaa authen login, aaa author exec"

 

Hopefully I helped here and possibly earned some reward point(s) after looong time! :-D

Regards

Peter

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card