2960S privilege level problem

the-lebowski · ‎07-26-2011

I have a handful of 2960s that I have privilege levels configured for our QA department to login and change vlan port assignments. I configured them identically but one will not allow that user to change vlans.

The commands that I am using on all of the switches (that works on the other two) are below:

!

privilege interface level 5 switchport

privilege interface level 5 description

privilege configure level 5 interface

privilege exec level 5 configure terminal

privilege exec level 5 configure

privilege exec level 5 show vlan

privilege exec level 5 show running-config

privilege exec level 5 show

!

The user logs in via Radius (NPS) and has the privilege level set to 5 there, so when they login the perms match and they can do what I allow them to. However on a certain 2960 it gives them this when attempting to change the vlan:

sw86#show privilege

Current privilege level is 5

sw86#conf t

Enter configuration commands, one per line. End with CNTL/Z.

ws86(config)#int gi1/0/31

sw86(config-if)#switchport acc?

% Unrecognized command

sw86(config-if)#switchport acc

ON a working switch (identical privilege commands...I copied them from there):

sw88#show privilege

Current privilege level is 5

sw88#conf t

Enter configuration commands, one per line. End with CNTL/Z.

sw88(config)#int gi1/0/7

sw88(config-if)#sw

sw88(config-if)#switchport acc

sw88(config-if)#switchport access vlan ?

<1-4094> VLAN ID of the VLAN when this port is in access mode

Any idea what or where the problem is?

the-lebowski · ‎07-26-2011

I figured it out if anyone else runs into this problem. You have to explicity allow the entire command:

privilege interface level 5 switchport access vlan

But even after you do that entire command wont show in the config. It will just show "

privilege interface level 5 switchport"

Weird but its working correctly now.

Matthew Blanshard · ‎07-26-2011

What version of software on the switch? Looks like a bug to me.

Sent from Cisco Technical Support iPhone App

the-lebowski · ‎07-27-2011

c2960s-universalk9-mz.122-58.SE1.bin

All of my 2960s are running that IOS.

This is all it shows when I do a show run:

!

privilege interface level 5 switchport

privilege interface level 5 description

privilege configure level 5 interface

privilege exec level 5 configure terminal

privilege exec level 5 configure

privilege exec level 5 show vlan

privilege exec level 5 show running-config

privilege exec level 5 show

!

Compared to a 3750 (c3750-advipservicesk9-mz.122-46.SE.bin) I have with the same commands, it shows the ‘switchport access vlan’ command whereas the 2960 does not.

!

privilege interface level 5 switchport

privilege interface level 5 switchport access vlan

privilege interface level 5 description

privilege configure level 5 interface

privilege exec level 5 configure terminal

privilege exec level 5 configure

privilege exec level 5 show vlan

privilege exec level 5 show running-config

privilege exec level 5 show

Matthew Blanshard · ‎07-29-2011

I have filed bug CSCtr81355 to document this issue and to get it fixed. You can view the bug at this link:

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtr81355

It will take 24h for it to populate into the database.

-Matt

the-lebowski · ‎07-27-2012

Update to this.

Minor workaround..the commands are stored in the startup-config so I can always copy/paste from there.