Custom privilege not work as it should on Cisco 3750

Andrew White · ‎05-31-2013

Hello,

I have 2 local accounts on a 3750 that kick in should radius be unavailable. If I log in as the admin account it gets priv 15, if I log in as the other user it gets privilege 3 which is correct, by my commands dont work, this is what I have added and the strange thing is I've dont this many times before on our other switches, so what am I doing wrong?

username admin privilege 15 secret ***

username users privilege 3 secret ***

aaa new-model

enable view

(enter password)

conf t

parser view priv3

secret ***

commands interface include shutdown

commands interface include no shutdown

commands interface include no

commands configure include interface

commands exec include configure terminal

commands exec include configure

commands exec include show ntp status

commands exec include show ip interface brief

commands exec include show ip interface

commands exec include show ip

commands exec include show arp

commands exec include show clock

commands exec include show privilege

commands exec include show interfaces status err-disabled

commands exec include show interfaces Null0 status

commands exec include show interfaces status

commands exec include show interfaces ATM0/1/0 status

commands exec include show interfaces FastEthernet0/1 status

commands exec include show interfaces FastEthernet0/0 status

commands exec include show interfaces

commands exec include show configuration

commands exec include show

commands configure include interface GigabitEthernet1/0/1

commands configure include interface GigabitEthernet1/0/2

commands configure include interface GigabitEthernet1/0/3

commands configure include interface GigabitEthernet1/0/4

commands configure include interface GigabitEthernet1/0/5

commands configure include interface GigabitEthernet1/0/6

commands configure include interface GigabitEthernet1/0/7

commands configure include interface GigabitEthernet1/0/8

commands configure include interface GigabitEthernet1/0/9

commands configure include interface GigabitEthernet1/0/10

commands configure include interface GigabitEthernet1/0/11

commands configure include interface GigabitEthernet1/0/12

commands configure include interface GigabitEthernet2/0/1

commands configure include interface GigabitEthernet2/0/2

commands configure include interface GigabitEthernet2/0/3

commands configure include interface GigabitEthernet2/0/4

commands configure include interface GigabitEthernet2/0/5

commands configure include interface GigabitEthernet2/0/6

commands configure include interface GigabitEthernet2/0/7

commands configure include interface GigabitEthernet2/0/8

commands configure include interface GigabitEthernet2/0/9

commands configure include interface GigabitEthernet2/0/10

commands configure include interface GigabitEthernet2/0/11

commands configure include interface GigabitEthernet2/0/12

None of them seem to work, I really need commands exec include show configuration
to work which lets users type show configuration.

Also when they log in it is like this:

3750#

when it is normally:

3750>

Any ideas?

cadet alain · ‎05-31-2013

Hi,

why are you using views and don't tie them to your users but use privilege levels instead ?

do you want to use views ?

In this case you must have user "username" view "view name" and add these:

aaa authorization console

aaa authorization exec default group radius local

regards

Alain

Don't forget to rate helpful posts.

Mark Graham · ‎05-31-2013

AAA Auth console is the key part there!

i found that out the hard way.

if you dont set that and set a policy on con0 you can lock yourself out of the switch, and you will have to do config recovery.