02-02-2011 08:49 PM - edited 03-06-2019 03:19 PM
Hi all experts .
I am using ACS but for failover i am given the following requirement
There will be 2 local accounts. One with full access
username admin secret cisco123
enable secret abc123
Now for the second account, i want that account to view complete running-config but should'nt be able to enter config mode.
Can someone highlight what configuration i might need on router ? (please dont tell the solution for ACS, i just need it for local accounts :-))
Solved! Go to Solution.
02-02-2011 11:29 PM
Hi Jonn,
You need to configure privileges.
Please find the below may help in your scenario...
Show privilege: This command displays the current privilege. Here’s an example:
router# show privilege
Current privilege level is 3
Enable: Administrators typically use this command to go to privileged EXEC mode. However, it can also take you to any privileged mode. Here’s an example:
router# show privilege
Current privilege level is 3
router# enable 1
router> show privilege
Current privilege level is 1
router>
User: While this command configures users, it can also tell the IOS which privilege level the user will have when logging in. Here’s an example:
router(config)# username test password test privilege 3
Privilege: This command configures certain commands to be available only at certain levels. Here’s an example:
router(config)# enable secret level 5 level5pass
Enable secret: By default, this command creates the password to get to privilege mode 15. However, you can also use it to create passwords to get into other privilege modes that you create.
Let’s look at an example. Suppose you want to create a support user who can log in to the router and view the startup configuration (as well as anything else at level 1). The commands you would enter would look something like this:
router(config)# user support privilege 3 password support
router(config)# privilege exec level 3 show startup-config
Note that the enable secret command is not required unless you want to require users who log in at level 1 to use the password in order to move up to level 3. In our example, the new user (support) is already at level 3 and needs no additional enable secret password to get there.
Please rate if this helped you...
Regards,
Naidu.
02-03-2011 09:52 PM
John
Unfortunately you have mutually conflicting requirements. Cisco provides the alternative of configuring privilege levels. But they build into that the requirement that if you do not have the privilege level to change something that you are not able to see it in running config.
There is, perhaps, an alternative that may allow you to achieve most of what your requirements are. The users at level 3 may not see all of the running-config, but they should be able to see all of the startup-config. Assuming that you have procedures in place to make sure that running-config and startup-config are in sync, then your level 3 users can see what they need by looking at startup-config.
I can (mostly) understand the logic that if you can not change it that you can not see it in running config. But the logic has never made sense to me, that a lower privilege person can not see it in running-confg but can see it in startup-config.
HTH
Rick
02-02-2011 11:29 PM
Hi Jonn,
You need to configure privileges.
Please find the below may help in your scenario...
Show privilege: This command displays the current privilege. Here’s an example:
router# show privilege
Current privilege level is 3
Enable: Administrators typically use this command to go to privileged EXEC mode. However, it can also take you to any privileged mode. Here’s an example:
router# show privilege
Current privilege level is 3
router# enable 1
router> show privilege
Current privilege level is 1
router>
User: While this command configures users, it can also tell the IOS which privilege level the user will have when logging in. Here’s an example:
router(config)# username test password test privilege 3
Privilege: This command configures certain commands to be available only at certain levels. Here’s an example:
router(config)# enable secret level 5 level5pass
Enable secret: By default, this command creates the password to get to privilege mode 15. However, you can also use it to create passwords to get into other privilege modes that you create.
Let’s look at an example. Suppose you want to create a support user who can log in to the router and view the startup configuration (as well as anything else at level 1). The commands you would enter would look something like this:
router(config)# user support privilege 3 password support
router(config)# privilege exec level 3 show startup-config
Note that the enable secret command is not required unless you want to require users who log in at level 1 to use the password in order to move up to level 3. In our example, the new user (support) is already at level 3 and needs no additional enable secret password to get there.
Please rate if this helped you...
Regards,
Naidu.
02-03-2011 09:23 PM
Dear Sir,
Its working but there is one issue. The user at level 3 cant view the complete running-config !!!. It can only view those commands that i have define explicitly through privilege command.
My main task is to restrict the user only from getting in config mode. But he should be able to view the complete running-config
02-03-2011 09:52 PM
John
Unfortunately you have mutually conflicting requirements. Cisco provides the alternative of configuring privilege levels. But they build into that the requirement that if you do not have the privilege level to change something that you are not able to see it in running config.
There is, perhaps, an alternative that may allow you to achieve most of what your requirements are. The users at level 3 may not see all of the running-config, but they should be able to see all of the startup-config. Assuming that you have procedures in place to make sure that running-config and startup-config are in sync, then your level 3 users can see what they need by looking at startup-config.
I can (mostly) understand the logic that if you can not change it that you can not see it in running config. But the logic has never made sense to me, that a lower privilege person can not see it in running-confg but can see it in startup-config.
HTH
Rick
02-03-2011 10:24 PM
Thanks a lot Sir Rick.
Its been a very long time since i receieved your valuable input. Its good to know you are still around. I must say, you guys are really blessing to this forum
02-03-2011 10:55 PM
John
I am glad that we have helped you to achieve a solution in your situation. And may I say that I appreciate the honorific title of Sir Rick.
I enjoy helping find solutions to problems and while my participation in the forum may have lagged from time to time, depending on other demands on my time, I participate in the forum as I am able.
HTH
Rick
02-03-2011 10:24 PM
Thanks alot Latchum,
With your and Sir Rick's advice, i am able to get my task done.
Really thanks
02-03-2011 11:23 PM
Hi John,
I am happy to see that our suggestions helped you to achieve.
One thing I would like to tell through this post that Cisco Support Community is a very most excellent place where we can contribute to the solutions and improve our technical world by giving solutions.
And also participation with such a high technical qualified people like Richard, Giuseppe, Palo and Jon Marshall is a pleasure as
always....
Regards,
Naidu.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide