Thnank you, but priv lvl 1 user can enter to enable mode.

R1>en
R1>enable
R1#

For me the best thing would be not to enter to priviledge mode at all.

hi can you post the show privilege there while logged in as that , you shouldnt even be able to run show run in priv 1

the levels work up to 16 , 1-15 with 1 being basically no access to the router no show run , you can do very basic checks only

Privilege level 0 — includes the disable, enable, exit, help, and logout commands.
Privilege level 1 — Normal level on Telnet; includes all user-level commands at the router> prompt.
Privilege level 15 — includes all enable-level commands at the router# prompt.

if its still allowing enable even in level 1 you can lock down the level to only allow certain commands to be typed thats another way to block them , dont allow enable in your custom list for what they can do

can you not block them from your radius server when you set them up as user on it , is there no option for that ?

on privilege 1 i've no right to enter the "show priviledge" :)

yes, i know i can limit the commands but maybe theres some global command to enabe disable the entering to that mode.

ok well that should block them even though the enable may work priv 1 should stop them seeing or doing anything in that mode , they will have a couple of commands but very limited i dont think you can even see the interfaces its the most restricted mode available

im not aware of a global command to do it , we had to do it through ACS and AAA configuration and theres a bit in it  , theres no just 1 command to turn it off i dont think anyway