Re: Local user privileges issue in Cat9300L switch

bensonlei · ‎11-24-2020

Hi, guys,

I want to create some local accounts in Cat9300L with OS v16.12, but not working.

The following devices are working:

1. Cat2960X : work OK
IOS Version 15.2(2)E4

2. Cat3850 : work OK
03.06.08E

3. ASR1001: work OK
asr1001x-universalk9.03.13.02.S.154-3.S2-ext.SPA.bin

But not working in Cat9300L with OS v16.12 :

Reference configuration:

===================

username acct_test priv 14 password P@ssw0rd
privilege exec level 14 show boot
privilege exec level 14 show dir
privilege exec level 14 show flash
privilege exec level 14 show startup-config
privilege exec level 14 show log

Any advice and recommendations, many thanks ?

marce1000 · ‎11-24-2020

- Check this guide for more info's :

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9300/software/release/16-6/configuration_guide/sec/b_166_sec_9300_cg/controlling_switch_access_with_passwords_and_privilege_levels.html

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

balaji.bandi · ‎11-25-2020

show post full config removing the sensitive information like to check other AAA configured?

is this config not accepting or commands not working for the user?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

bensonlei · ‎11-25-2020

Hi, guys,

Thanks so much for your information.

But for Cat9300 switch with the IOS V16.12, the following privileges are not working ( the previous IOS ver has no issue

privilege exec level 14 show boot
privilege exec level 14 show flash
privilege exec level 14 show startup-config

Georg Pauwen · ‎11-25-2020

Hello,

in addition to the other posts, what if you configure an 'enable' password for the privilege level ?

enable password level 14 secretpassword

bensonlei · ‎11-25-2020

Hi, Georg

Thanks for your information.

Referred to this link:

https://community.cisco.com/t5/switching/privilege-14-no-show-run-command/td-p/3911614

Your recommendation seems not work.

paul driver · ‎11-26-2020

Hello

username stan role priv-15 password xxxxxxxx
username stan keypair generate rsa 2048

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

bensonlei · ‎11-26-2020

Hi, Paul,

Thanks so much for your suggestion.

I just do not want to create user with priv 15.

paul driver · ‎11-26-2020

Hello

@bensonlei wrote:

I just do not want to create user with priv 15.

You can create a lesser privilege role based on your requirements and also have a privilege 15 mode for admin users and an enable mode for lesser user privilege roles to elevate their own access.
example:
username stan role priv-1 password xxxxxxxx
username stan keypair generate rsa 2048
role name stan
rule 1 deny command telnet
rule 2 deny command ssh
rule 3 permit command show run
rule 4 permit command show ip int brief
rule 5 etc......
enable secret x.x.x.x <---- this can be used for user stan running at privilege mode of 1 to elevate itself to admin role

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul