Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
890
Views
0
Helpful
1
Replies

Enable password for users

yakovha1984
Level 1
Level 1

‎10-02-2011 11:27 AM - edited ‎03-09-2019 11:41 PM

Hi.

I am bit new to the forum and to cisco so please try to be patient with me (:

I am configuring cisco password in an organization, we have 4 IT users here and the Security Officer aksed me to be able to monitor all changes made in the cisco by each of these 4 users, so i created 4 diffrent user names each with there own password for the cisco and created archiveing for all users, so far so good, my problem now is that i cant figure out how to create a diffrent Enable password for each of them, i saw i can create an enable password for each privlage mode in the Cisco but not for each user.

my questions are:

1. can i create a seperate Enable password for each user (all of them to privlage level 15, if i dont have to i dont want to start configuring privlages levels), the 4 IT users shold be able to execue all commands the administrator can.

2. if my only option is to configure the privlages and there passwords so each user can have its own password, can i configure the privlages levels to have permission to run all commands wihtout mapping all the commands they need and input them manually? ( i mean that by deafult the privlages level can do the same at privlage level 15)

Thanks in advance all

Here are the specs of my switch

Cisco IOS Software, C3750 Software (C3750-IPSERVICES-M), Version 12.2(25)SEB4, R

ELEASE SOFTWARE (fc1)

Copyright (c) 1986-2005 by Cisco Systems, Inc.

Compiled Tue 30-Aug-05 15:47 by yenanh

ROM: Bootstrap program is C3750 boot loader

BOOTLDR: C3750 Boot Loader (C3750-HBOOT-M) Version 12.2(25r)SE1, RELEASE SOFTWAR

E (fc)

tlvahswc01 uptime is 6 weeks, 5 days, 6 hours, 41 minutes

System returned to ROM by power-on

System image file is "flash:c3750-ipservices-mz.122-25.SEB4/c3750-ipservices-mz.

122-25.SEB4.bin"

cisco WS-C3750G-24TS-1U (PowerPC405) processor (revision C0) with 118784K/12280K

bytes of memory.

Processor board ID FOC0943Y0R3

Last reset from power-on

6 Virtual Ethernet interfaces

212 Gigabit Ethernet interfaces

The password-recovery mechanism is enabled.

512K bytes of flash-simulated non-volatile configuration memory.

Base ethernet MAC Address       : 00:15:F9:DC:49:00

Motherboard assembly number     : 73-9637-08

Power supply part number        : 341-0098-01

Motherboard serial number       : FOC094311V2

Power supply serial number      : AZS100700NZ

Model revision number           : C0

Motherboard revision number     : A0

Model number                    : WS-C3750G-24TS-E1U

System serial number            : FOC0943Y0R3

SFP Module assembly part number : 73-7757-03

SFP Module revision Number      : A0

SFP Module serial number        : CAT100604EM

Top Assembly Part Number        : 800-26349-02

Top Assembly Revision Number    : B0

Version ID                      : V02

CLEI Code Number                : CNMWZ00ARB

Hardware Board Revision Number  : 0x05

Labels:
0 Helpful
1 Reply 1

Richard Burts
Hall of Fame
Hall of Fame

‎10-02-2011 02:51 PM

Yakov

Welcome to the forum. I hope that the answers that we provide will be useful to you.

There are several possible approaches that might provide workable solutions for you but we would need to know a bit more about your environment to have a sense of which ones might work the best for you. But I believe that there will be a workable solution that does not involve creating privilege levels.

First I would ask if you really need separate enable passwords for each user? What if the 4 IT users all share the same enable password? If each user has a unique ID and if archiving is set up for each user, then can you not track changes made by each user even if they all use the same enable password to get into privilege mode?

Second I would ask if you really need the enable password? Are these 4 IT users the only users who will log in on the switch? What if everyone who logs in to the switch goes automatically to privilege mode? You could use the privilege-level 15 command under line vty and any user would automatically be put into privilege level and not need the enable password.

But if some users will log in who need read only mode and should not have access to all commands then the approach of privilege-level 15 on the vty would not work. In that case an alternative might be to specify privilege level of 15 in the user ID of the IT users and to configure aaa authorization exec local. This would put the IT users directly into privilege mode and the other users would be left in user mode.

I would suggest that there is another alternative to consider. Instead of using authentication locally on the switch use an external authentication server such as a TACACS server. On the TACACS server you could identify users who should have access to privilege mode and identify users who do not have access to privilege mode. You would configure the switch to authenticate enable using TACACS and the TACACS server would only authenticate enable for the users who are identified to need it. This is a bit more complex than local authentication, and it is more costly than local authentication. But it is the way that gives you the best control over who gets into privilege mode.

HTH

Rick

HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents