Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4556
Views
5
Helpful
2
Replies

Configure Read-Acces via user-defined privilege level

Go to solution
lauxtobias1
Level 1
Level 1

‎03-12-2013 03:16 AM - edited ‎03-07-2019 12:11 PM

Hello everybody,

I´m looking for the best configuration to restrict a user to read-only. The restriction should be configured via CLI not TACACS+.

Hardware: 3750 (probably not interesting for this question)

Oldest IOS: 12.2(53)SE1

The user should be allowed to:

  • see the running-configuration
  • trigger all kinds of show-commands
  • ping and traceroute from the device

The user should not be allowed to:

  • upload/delete/rename files on the flash-memory
  • get into level 15 (not sure if I can avoid this)
  • all other commands despite those from level 1 and those specified above

Can someone help me with this?

Thanks in advance!

I won´t forget to rate helpful posts

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
InayathUlla Sharieff
Cisco Employee
Cisco Employee

‎03-17-2013 11:52 AM

Hi Tobias,

You can

configure  Multiple Privilege Levels  on a switch as explained below.

By default, the Cisco IOS software has two modes of password security: user EXEC and

privileged EXEC. You can configure up to 16 hierarchical levels of commands for each mode.

By configuring multiple passwords, you can allow different sets of users to have access to

specified commands.

For example, if you want many users to have access to the clear line command, you can

assign it level 2 security and distribute the level 2 password fairly widely. But if you

want more restricted access to the configure command, you can assign it level 3 security

and distribute that password to a more restricted group of users.

Setting the Privilege Level for a Command

Beginning in privileged EXEC mode, follow these steps to set the privilege level for a

command mode:

     Command  Purpose 

      Step 1 

     configure terminal

     Enter global configuration mode.

      Step 2 

     privilege mode level level command

     Set the privilege level for a command.

For mode, enter configure for global configuration mode, exec for EXEC mode, interface

for interface configuration mode, or line for line configuration mode.

For level, the range is from 0 to 15. Level 1 is for normal user EXEC mode privileges.

Level 15 is the level of access permitted by the enable password.

For command, specify the command to which you want to restrict access.

      Step 3 

     enable password level level password

     Specify the enable password for the privilege level.

  .For level, the range is from 0 to 15. Level 1 is for normal user EXEC mode privileges.

For password, specify a string from 1 to 25 alphanumeric characters. The string cannot

start with a number, is case sensitive, and allows spaces but ignores leading spaces. By

default, no password is defined.

      Step 4 

     end

     Return to privileged EXEC mode.

      Step 5 

     show running-config

     or

      show privilege

     Verify your entries.

The first command shows the password and access level configuration. The second command

shows the privilege level configuration.

      Step 6 

     copy running-config startup-config

     (Optional) Save your entries in the configuration file.

When you set a command to a privilege level, all commands whose syntax is a subset of that

command are also set to that level. For example, if you set the show ip traffic command to

level 15, the show commands and show ip commands are automatically set to privilege level

15 unless you set them individually to different levels.

To return to the default privilege for a given command, use the no privilege mode level

level command global configuration command.

This example shows how to set the configure command to privilege level 14 and define

SecretPswd14 as the password users must enter to use level 14 commands:

Switch(config)# privilege exec level 14 configure

Switch(config)# enable password level 14 SecretPswd14

Also you can change the default privilege level for all the users .

Changing the Default Privilege Level for Lines Beginning in privileged EXEC mode, follow these steps to change the default privilege level for a line:    Command  Purpose 

Step 1   configure terminal  Enter global configuration mode.

  Step 2   line vty line  Select the virtual terminal line on which to restrict access.

Step 3   privilege level level  Change the default privilege level for the line.

             For level, the range is from 0 to 15. Level 1 is for normal user EXEC mode

             privileges. Level 15 is the level of access permitted by the enable password. 

Step 4  end  Return to privileged EXEC mode. 

Step 5   show running-config  or show privilege

          Verify your entries. The first command shows the password and access level configuration.

          The second command shows the privilege level configuration.

  Step 6   copy running-config startup-config  (Optional) Save your entries in the configuration file. 

Users can override the privilege level you set using the privilege level line configuration command

by logging in to the line and enabling a different privilege level.

They can lower the privilege level by using the disable command.

If users know the password to a higher privilege level, they can use that password to enable the higher privilege level. You might specify a high level or privilege level for your console line to restrict line usage. 

To return to the default line privilege level, use the no privilege level line configuration command. Also i am sending a document for your reference.

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat3750/12225see/scg/swauthen.htm#wp1154063

HTH

Regards

Inayath

View solution in original post

2 Replies 2

Go to solution
InayathUlla Sharieff
Cisco Employee
Cisco Employee

‎03-17-2013 11:52 AM

Hi Tobias,

You can

configure  Multiple Privilege Levels  on a switch as explained below.

By default, the Cisco IOS software has two modes of password security: user EXEC and

privileged EXEC. You can configure up to 16 hierarchical levels of commands for each mode.

By configuring multiple passwords, you can allow different sets of users to have access to

specified commands.

For example, if you want many users to have access to the clear line command, you can

assign it level 2 security and distribute the level 2 password fairly widely. But if you

want more restricted access to the configure command, you can assign it level 3 security

and distribute that password to a more restricted group of users.

Setting the Privilege Level for a Command

Beginning in privileged EXEC mode, follow these steps to set the privilege level for a

command mode:

     Command  Purpose 

      Step 1 

     configure terminal

     Enter global configuration mode.

      Step 2 

     privilege mode level level command

     Set the privilege level for a command.

For mode, enter configure for global configuration mode, exec for EXEC mode, interface

for interface configuration mode, or line for line configuration mode.

For level, the range is from 0 to 15. Level 1 is for normal user EXEC mode privileges.

Level 15 is the level of access permitted by the enable password.

For command, specify the command to which you want to restrict access.

      Step 3 

     enable password level level password

     Specify the enable password for the privilege level.

  .For level, the range is from 0 to 15. Level 1 is for normal user EXEC mode privileges.

For password, specify a string from 1 to 25 alphanumeric characters. The string cannot

start with a number, is case sensitive, and allows spaces but ignores leading spaces. By

default, no password is defined.

      Step 4 

     end

     Return to privileged EXEC mode.

      Step 5 

     show running-config

     or

      show privilege

     Verify your entries.

The first command shows the password and access level configuration. The second command

shows the privilege level configuration.

      Step 6 

     copy running-config startup-config

     (Optional) Save your entries in the configuration file.

When you set a command to a privilege level, all commands whose syntax is a subset of that

command are also set to that level. For example, if you set the show ip traffic command to

level 15, the show commands and show ip commands are automatically set to privilege level

15 unless you set them individually to different levels.

To return to the default privilege for a given command, use the no privilege mode level

level command global configuration command.

This example shows how to set the configure command to privilege level 14 and define

SecretPswd14 as the password users must enter to use level 14 commands:

Switch(config)# privilege exec level 14 configure

Switch(config)# enable password level 14 SecretPswd14

Also you can change the default privilege level for all the users .

Changing the Default Privilege Level for Lines Beginning in privileged EXEC mode, follow these steps to change the default privilege level for a line:    Command  Purpose 

Step 1   configure terminal  Enter global configuration mode.

  Step 2   line vty line  Select the virtual terminal line on which to restrict access.

Step 3   privilege level level  Change the default privilege level for the line.

             For level, the range is from 0 to 15. Level 1 is for normal user EXEC mode

             privileges. Level 15 is the level of access permitted by the enable password. 

Step 4  end  Return to privileged EXEC mode. 

Step 5   show running-config  or show privilege

          Verify your entries. The first command shows the password and access level configuration.

          The second command shows the privilege level configuration.

  Step 6   copy running-config startup-config  (Optional) Save your entries in the configuration file. 

Users can override the privilege level you set using the privilege level line configuration command

by logging in to the line and enabling a different privilege level.

They can lower the privilege level by using the disable command.

If users know the password to a higher privilege level, they can use that password to enable the higher privilege level. You might specify a high level or privilege level for your console line to restrict line usage. 

To return to the default line privilege level, use the no privilege level line configuration command. Also i am sending a document for your reference.

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat3750/12225see/scg/swauthen.htm#wp1154063

HTH

Regards

Inayath

Go to solution
lauxtobias1
Level 1
Level 1
In response to InayathUlla Sharieff

‎03-18-2013 03:10 AM

Thanks for the detailed answer.

Seems clear to me now

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card