01-19-2010 12:34 PM - edited 03-06-2019 09:21 AM
We are setting up local username database on the switches, and would like to separate the admin user into 2 groups, one group has access to the enable mode (EXEC privilege), while the other group cannot, and can only do 'show' commands' like 'sh interface, sh logg' etc. for troubleshooting purpose.
Is there a way to disable the 'enable' command for the second group of admin user? We want the 2nd group of admin user, even if they find out the enable password, there is no way to enter the EXEC privilege mode.
Thanks.
01-19-2010 12:58 PM
Hello Benny,
You can configure some thing like this:
username joe privilege 3 password joe
privilege exec level 3 show
This way they can do all the show commands and not make any config changes
HTH
Reza
01-19-2010 01:12 PM
Reza,
Thanks for your reply.
My question is, with your solution, the user will be able to do only the show commands when they do 'enable 2 xxxxxx' to login in at privilege 2 level.
But if they somehow discover the enable password (for privilege 15), they can jsut do 'enable xxxxxx' and still login to privilege 15. Right?
So, I would like to see if there is way that if an user login to the User privilege mode, they will not be able to type 'enable' at all. This way, even if they find out the enable password, they will not be able to login to privilege 15 when they login using their username and password.
Thanks.
01-19-2010 09:56 PM
Hi Benny,
When you log in to a Cisco router under the default configuration, you're in user EXEC mode (level 1). From this mode, you have access to some information about the router, such as the status of interfaces, and you can view routes in the routing table. However, you can't make any changes or view the running configuration file.
For your query you can assign them privillage level 3 and configure this command in your router that only particular privillage level can see this command in router.her is the example.
privilege exec level 1 enable
privilege exec level 1 telnet
privilege exec level 1 tunnel
privilege exec level 1 clear
privilege exec level 1 login
With the above example only priviallage level 1 user can view enable,telnet,tunnel only below level that is level 0 cant see above commands in routers.
Hope that clear out your query !!
If helpful do rate the valuable post.
Regards
Ganesh.H
01-19-2010 09:57 PM
Hi Benny,
When you log in to a Cisco router under the default configuration, you're in user EXEC mode (level 1). From this mode, you have access to some information about the router, such as the status of interfaces, and you can view routes in the routing table. However, you can't make any changes or view the running configuration file.
For your query you can assign them privillage level 3 and configure this command in your router that only particular privillage level can see this command in router.her is the example.
privilege exec level 1 enable
privilege exec level 1 telnet
privilege exec level 1 tunnel
privilege exec level 1 clear
privilege exec level 1 login
With the above example only priviallage level 1 user can view enable,telnet,tunnel only below level that is level 0 cant see above commands in routers.
Hope that clear out your query !!
If helpful do rate the valuable post.
Regards
Ganesh.H
01-19-2010 09:59 PM
Hi Benny,
When you log in to a Cisco router under the default configuration, you're in user EXEC mode (level 1). From this mode, you have access to some information about the router, such as the status of interfaces, and you can view routes in the routing table. However, you can't make any changes or view the running configuration file.
For your query you can assign them privillage level 3 and configure this command in your router that only particular privillage level can see this command in router.her is the example.
privilege exec level 1 enable
privilege exec level 1 telnet
privilege exec level 1 tunnel
privilege exec level 1 clear
privilege exec level 1 login
With the above example only priviallage level 1 user can view enable,telnet,tunnel only below level that is level 0 cant see above commands in routers.
Hope that clear out your query !!
If helpful do rate the valuable post.
Regards
Ganesh.H
01-19-2010 10:02 PM
I am sorry i dont know how it has posetd three post for the same thread.
Regards
Ganesh.H
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide