Create VPN Users with differents privilege

davidsaludes · ‎12-30-2015

hello all,

First of all, Merry Christmas, second we usually create just one user with privilege 15 in all our routers, and this user is used by all of ours technician.

We want to create 1 user per technician with full control but without the "power" of erasing a superadminitrator with privilege 15.

Is there any privilege which allows us to modify any parameter of the router but not erasing the superadmin user?

BR

Philip D'Ath · ‎12-30-2015

I think you would be best using role based CLI access control.

http://www.cisco.com/en/US/docs/ios/12_3t/12_3t7/feature/guide/gtclivws.html

Basically create a view that excludes the "user" command (bit allows all others), so that view can not add/delete/change users accounts. That will be the superuser function from now now.

Assign it to a privilege level, such as 10. Then create technician accounts that are privilege level 10.

davidsaludes · ‎12-30-2015

we will try that.

about TACAS or RADIUS we have never thought about it,

Thank you.

Philip D'Ath · ‎12-30-2015

Have you considered using TACAS+ or RADIUS instead? Much simpler ...