03-12-2013 03:16 AM - edited 03-07-2019 12:11 PM
Hello everybody,
I´m looking for the best configuration to restrict a user to read-only. The restriction should be configured via CLI not TACACS+.
Hardware: 3750 (probably not interesting for this question)
Oldest IOS: 12.2(53)SE1
The user should be allowed to:
The user should not be allowed to:
Can someone help me with this?
Thanks in advance!
I won´t forget to rate helpful posts
Solved! Go to Solution.
03-17-2013 11:52 AM
Hi Tobias,
You can
configure Multiple Privilege Levels on a switch as explained below.
By default, the Cisco IOS software has two modes of password security: user EXEC and
privileged EXEC. You can configure up to 16 hierarchical levels of commands for each mode.
By configuring multiple passwords, you can allow different sets of users to have access to
specified commands.
For example, if you want many users to have access to the clear line command, you can
assign it level 2 security and distribute the level 2 password fairly widely. But if you
want more restricted access to the configure command, you can assign it level 3 security
and distribute that password to a more restricted group of users.
Setting the Privilege Level for a Command
Beginning in privileged EXEC mode, follow these steps to set the privilege level for a
command mode:
Command Purpose
Step 1
configure terminal
Enter global configuration mode.
Step 2
privilege mode level level command
Set the privilege level for a command.
For mode, enter configure for global configuration mode, exec for EXEC mode, interface
for interface configuration mode, or line for line configuration mode.
For level, the range is from 0 to 15. Level 1 is for normal user EXEC mode privileges.
Level 15 is the level of access permitted by the enable password.
For command, specify the command to which you want to restrict access.
Step 3
enable password level level password
Specify the enable password for the privilege level.
.For level, the range is from 0 to 15. Level 1 is for normal user EXEC mode privileges.
For password, specify a string from 1 to 25 alphanumeric characters. The string cannot
start with a number, is case sensitive, and allows spaces but ignores leading spaces. By
default, no password is defined.
Step 4
end
Return to privileged EXEC mode.
Step 5
show running-config
or
show privilege
Verify your entries.
The first command shows the password and access level configuration. The second command
shows the privilege level configuration.
Step 6
copy running-config startup-config
(Optional) Save your entries in the configuration file.
When you set a command to a privilege level, all commands whose syntax is a subset of that
command are also set to that level. For example, if you set the show ip traffic command to
level 15, the show commands and show ip commands are automatically set to privilege level
15 unless you set them individually to different levels.
To return to the default privilege for a given command, use the no privilege mode level
level command global configuration command.
This example shows how to set the configure command to privilege level 14 and define
SecretPswd14 as the password users must enter to use level 14 commands:
Switch(config)# privilege exec level 14 configure
Switch(config)# enable password level 14 SecretPswd14
Also you can change the default privilege level for all the users .
Changing the Default Privilege Level for Lines Beginning in privileged EXEC mode, follow these steps to change the default privilege level for a line: Command Purpose
Step 1 configure terminal Enter global configuration mode.
Step 2 line vty line Select the virtual terminal line on which to restrict access.
Step 3 privilege level level Change the default privilege level for the line.
For level, the range is from 0 to 15. Level 1 is for normal user EXEC mode
privileges. Level 15 is the level of access permitted by the enable password.
Step 4 end Return to privileged EXEC mode.
Step 5 show running-config or show privilege
Verify your entries. The first command shows the password and access level configuration.
The second command shows the privilege level configuration.
Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file.
Users can override the privilege level you set using the privilege level line configuration command
by logging in to the line and enabling a different privilege level.
They can lower the privilege level by using the disable command.
If users know the password to a higher privilege level, they can use that password to enable the higher privilege level. You might specify a high level or privilege level for your console line to restrict line usage.
To return to the default line privilege level, use the no privilege level line configuration command. Also i am sending a document for your reference.
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat3750/12225see/scg/swauthen.htm#wp1154063
HTH
Regards
Inayath
03-17-2013 11:52 AM
Hi Tobias,
You can
configure Multiple Privilege Levels on a switch as explained below.
By default, the Cisco IOS software has two modes of password security: user EXEC and
privileged EXEC. You can configure up to 16 hierarchical levels of commands for each mode.
By configuring multiple passwords, you can allow different sets of users to have access to
specified commands.
For example, if you want many users to have access to the clear line command, you can
assign it level 2 security and distribute the level 2 password fairly widely. But if you
want more restricted access to the configure command, you can assign it level 3 security
and distribute that password to a more restricted group of users.
Setting the Privilege Level for a Command
Beginning in privileged EXEC mode, follow these steps to set the privilege level for a
command mode:
Command Purpose
Step 1
configure terminal
Enter global configuration mode.
Step 2
privilege mode level level command
Set the privilege level for a command.
For mode, enter configure for global configuration mode, exec for EXEC mode, interface
for interface configuration mode, or line for line configuration mode.
For level, the range is from 0 to 15. Level 1 is for normal user EXEC mode privileges.
Level 15 is the level of access permitted by the enable password.
For command, specify the command to which you want to restrict access.
Step 3
enable password level level password
Specify the enable password for the privilege level.
.For level, the range is from 0 to 15. Level 1 is for normal user EXEC mode privileges.
For password, specify a string from 1 to 25 alphanumeric characters. The string cannot
start with a number, is case sensitive, and allows spaces but ignores leading spaces. By
default, no password is defined.
Step 4
end
Return to privileged EXEC mode.
Step 5
show running-config
or
show privilege
Verify your entries.
The first command shows the password and access level configuration. The second command
shows the privilege level configuration.
Step 6
copy running-config startup-config
(Optional) Save your entries in the configuration file.
When you set a command to a privilege level, all commands whose syntax is a subset of that
command are also set to that level. For example, if you set the show ip traffic command to
level 15, the show commands and show ip commands are automatically set to privilege level
15 unless you set them individually to different levels.
To return to the default privilege for a given command, use the no privilege mode level
level command global configuration command.
This example shows how to set the configure command to privilege level 14 and define
SecretPswd14 as the password users must enter to use level 14 commands:
Switch(config)# privilege exec level 14 configure
Switch(config)# enable password level 14 SecretPswd14
Also you can change the default privilege level for all the users .
Changing the Default Privilege Level for Lines Beginning in privileged EXEC mode, follow these steps to change the default privilege level for a line: Command Purpose
Step 1 configure terminal Enter global configuration mode.
Step 2 line vty line Select the virtual terminal line on which to restrict access.
Step 3 privilege level level Change the default privilege level for the line.
For level, the range is from 0 to 15. Level 1 is for normal user EXEC mode
privileges. Level 15 is the level of access permitted by the enable password.
Step 4 end Return to privileged EXEC mode.
Step 5 show running-config or show privilege
Verify your entries. The first command shows the password and access level configuration.
The second command shows the privilege level configuration.
Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file.
Users can override the privilege level you set using the privilege level line configuration command
by logging in to the line and enabling a different privilege level.
They can lower the privilege level by using the disable command.
If users know the password to a higher privilege level, they can use that password to enable the higher privilege level. You might specify a high level or privilege level for your console line to restrict line usage.
To return to the default line privilege level, use the no privilege level line configuration command. Also i am sending a document for your reference.
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat3750/12225see/scg/swauthen.htm#wp1154063
HTH
Regards
Inayath
03-18-2013 03:10 AM
Thanks for the detailed answer.
Seems clear to me now
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide