Solved: Re: Restrict access to config ter command !

Jonn cos · ‎02-02-2011

Hi all experts .

I am using ACS but for failover i am given the following requirement

There will be 2 local accounts. One with full access

username admin secret cisco123

enable secret abc123

Now for the second account, i want that account to view complete running-config but should'nt be able to enter config mode.

Can someone highlight what configuration i might need on router ? (please dont tell the solution for ACS, i just need it for local accounts :-))

Latchum Naidu · ‎02-02-2011

Hi Jonn,

You need to configure privileges.

Please find the below may help in your scenario...

Show privilege: This command displays the current privilege. Here’s an example:

router# show privilege
Current privilege level is 3

Enable: Administrators typically use this command to go to privileged EXEC mode. However, it can also take you to any privileged mode. Here’s an example:

router# show privilege
Current privilege level is 3
router# enable 1
router> show privilege
Current privilege level is 1
router>

User: While this command configures users, it can also tell the IOS which privilege level the user will have when logging in. Here’s an example:

router(config)# username test password test privilege 3

Privilege: This command configures certain commands to be available only at certain levels. Here’s an example:

router(config)# enable secret level 5 level5pass

Enable secret: By default, this command creates the password to get to privilege mode 15. However, you can also use it to create passwords to get into other privilege modes that you create.

Let’s look at an example. Suppose you want to create a support user who can log in to the router and view the startup configuration (as well as anything else at level 1). The commands you would enter would look something like this:

router(config)# user support privilege 3 password support
router(config)# privilege exec level 3 show startup-config

Note that the enable secret command is not required unless you want to require users who log in at level 1 to use the password in order to move up to level 3. In our example, the new user (support) is already at level 3 and needs no additional enable secret password to get there.

Please rate if this helped you...

Regards,
Naidu.

View solution in original post

Richard Burts · ‎02-03-2011

John

Unfortunately you have mutually conflicting requirements. Cisco provides the alternative of configuring privilege levels. But they build into that the requirement that if you do not have the privilege level to change something that you are not able to see it in running config.

There is, perhaps, an alternative that may allow you to achieve most of what your requirements are. The users at level 3 may not see all of the running-config, but they should be able to see all of the startup-config. Assuming that you have procedures in place to make sure that running-config and startup-config are in sync, then your level 3 users can see what they need by looking at startup-config.

I can (mostly) understand the logic that if you can not change it that you can not see it in running config. But the logic has never made sense to me, that a lower privilege person can not see it in running-confg but can see it in startup-config.

HTH

Rick

HTH

Rick

View solution in original post

Latchum Naidu · ‎02-02-2011

Hi Jonn,

You need to configure privileges.

Please find the below may help in your scenario...

Show privilege: This command displays the current privilege. Here’s an example:

router# show privilege
Current privilege level is 3

Enable: Administrators typically use this command to go to privileged EXEC mode. However, it can also take you to any privileged mode. Here’s an example:

router# show privilege
Current privilege level is 3
router# enable 1
router> show privilege
Current privilege level is 1
router>

User: While this command configures users, it can also tell the IOS which privilege level the user will have when logging in. Here’s an example:

router(config)# username test password test privilege 3

Privilege: This command configures certain commands to be available only at certain levels. Here’s an example:

router(config)# enable secret level 5 level5pass

Enable secret: By default, this command creates the password to get to privilege mode 15. However, you can also use it to create passwords to get into other privilege modes that you create.

Let’s look at an example. Suppose you want to create a support user who can log in to the router and view the startup configuration (as well as anything else at level 1). The commands you would enter would look something like this:

router(config)# user support privilege 3 password support
router(config)# privilege exec level 3 show startup-config

Note that the enable secret command is not required unless you want to require users who log in at level 1 to use the password in order to move up to level 3. In our example, the new user (support) is already at level 3 and needs no additional enable secret password to get there.

Please rate if this helped you...

Regards,
Naidu.

Jonn cos · ‎02-03-2011

Dear Sir,

Its working but there is one issue. The user at level 3 cant view the complete running-config !!!. It can only view those commands that i have define explicitly through privilege command.

My main task is to restrict the user only from getting in config mode. But he should be able to view the complete running-config

Richard Burts · ‎02-03-2011

John

Unfortunately you have mutually conflicting requirements. Cisco provides the alternative of configuring privilege levels. But they build into that the requirement that if you do not have the privilege level to change something that you are not able to see it in running config.

There is, perhaps, an alternative that may allow you to achieve most of what your requirements are. The users at level 3 may not see all of the running-config, but they should be able to see all of the startup-config. Assuming that you have procedures in place to make sure that running-config and startup-config are in sync, then your level 3 users can see what they need by looking at startup-config.

I can (mostly) understand the logic that if you can not change it that you can not see it in running config. But the logic has never made sense to me, that a lower privilege person can not see it in running-confg but can see it in startup-config.

HTH

Rick

HTH

Rick

Jonn cos · ‎02-03-2011

Thanks a lot Sir Rick.

Its been a very long time since i receieved your valuable input. Its good to know you are still around. I must say, you guys are really blessing to this forum

Richard Burts · ‎02-03-2011

John

I am glad that we have helped you to achieve a solution in your situation. And may I say that I appreciate the honorific title of Sir Rick.

I enjoy helping find solutions to problems and while my participation in the forum may have lagged from time to time, depending on other demands on my time, I participate in the forum as I am able.

HTH

Rick

HTH

Rick

Jonn cos · ‎02-03-2011

Thanks alot Latchum,

With your and Sir Rick's advice, i am able to get my task done.

Really thanks

Latchum Naidu · ‎02-03-2011

Hi John,

I am happy to see that our suggestions helped you to achieve.

One thing I would like to tell through this post that Cisco Support Community is a very most excellent place where we can contribute to the solutions and improve our technical world by giving solutions.

And also participation with such a high technical qualified people like Richard, Giuseppe, Palo and Jon Marshall is a pleasure as

always....

Regards,

Naidu.