Re: Configuring privilege issue

nomanbari · ‎09-05-2006

Hi,

I need some help here. I am trying to configure a router for access privileges.

Following is the configuration:-

enable secret level 14 5 $1$yQtt$0yL38AHKDnpuLO3MMaGi3/

privilege configure level 14 interface

privilege configure level 14 interface shutdown

privilege configure level 14 interface no shutdown

privilege configure level 14 interface ip address

privilege configure level 14 interface no ip address

privilege exec level 14 show run

privilege exec level 14 configure terminal

privilege exec level 14 show startup

Problem is that though user can login in access level 14 but he faces two issues:-

1. sh run output is appears only as

Building configuration...

Current configuration : 80 bytes

!

interface Tunnel0

!

interface FastEthernet0/0

!

interface Async5

!

end

But sh startup is completely shown with all the information.

2. User can enter interface config mode but if he tries to configure ip address or shutdown interface, it doesn't work.

Any help will be greatly appreciated.

--Noman Bari

anton.elita · ‎09-05-2006

Hi Noman,

"sh run" actually shows you what you can configure.

"sh start" shows the contents of the startup file in flash.

Hence, you need to give the user "configure" privilege, in order to let him view running-config.

An option for viewing running-config would be creating another user with auto-command "show running" (and automatic logout).

Best regards,

Anton Elita

nomanbari · ‎09-05-2006

Hi Anton,

Thank you for your response. I tried adding configure command (after I posted here) but the problem persists. I added

privilege exec level 14 configure

privilege exec level 14 show running-config

but still level 14 user can't see the running configuration neither he can change interface configuration (the things that i have allowed him to do as shown in my earlier posting) but he can enter the interface configuration mode.

Help will be greatly appreciated.

--Noman Bari

nomanbari · ‎09-05-2006

Hi,

Just resolved one issue..Added these

privilege interface level 14 shutdown

privilege interface level 14 ip address

but the issue of seeing running conf remains : )..

--Noman Bari

anton.elita · ‎09-05-2006

Hi Noman,

user with "not-15" privilege level sees in running config only what he/she can modify.

please check the link:

http://www.cisco.com/en/US/customer/tech/tk59/technologies_tech_note09186a00800949d5.shtml

best regards,

Anton Elita

rajinikanth · ‎09-05-2006

Try to create a user at global config

username name privilege [level]

Check this link

http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_command_reference_chapter09186a00800ca7cd.html#wp1029432

Hope it helps you

Thanks,

Raj

nomanbari · ‎09-05-2006

Hi Raj,

i have resloved one major issue regarding configuring interface but if u can help me with show run command execution then that will be great...

--Noman Bari

rajinikanth · ‎09-05-2006

Hi

Instead of this command

privilege exec level 14 show run

Try to use

privilege exec level 14 show run full

Tell me if this change worked.

Thanks

Raj

nomanbari · ‎09-05-2006

Hi Raj,

Thanks for the suggestion..but I figured out that i was doing the right thing but missing one important point..the thing is since i have configured level 14 user to configure the ip address in interface mode, in the sh run (while in level 14) shows me interfaces with ip address only... if i add say

privilege configure level 14 interface description

then in sh run description shows along with the ip address for each interface...basically its giving a restricted view and it meets my design requirement(i removed privilege exec level 14 show startup )...so this is great but thanks so much for your helping out and giving your precious time...really appreciate that...

--Noman Bari