How to use extended ping without enable access?

philipdurandt · ‎04-24-2016

Does anyone know of a way to create a username for a Cisco router and allow them to do extended ping and traceroute commands without giving them enable access or using Tacacs?

I've tried changing around the privilege commands and setting privilege levels for certain command modes, but I can't figure out which mode the extended ping commands fall under.

Your help would be greatly appreciated.

Philip D'Ath · ‎04-24-2016

I'm 99% sure you can not do it at privilege level 0 or 1.

What I think will work is if you use aaa, and use privilege level 2. Privilege level 2 wont allow a user into config mode by default (or to execute "show running").

aaa new-model
aaa authentication login default local
aaa authorization exec default local 
aaa authorization network default local 

username test privilege 2 password xxx

philipdurandt · ‎04-25-2016

Thanks Philip.

I've tested your suggestion, but I'm afraid it still isn't working.

I've also tried all the privilege levels from 1 - 15 and the only one where it works is at 15, but then they have access to configure changes and it nullifies the whole point of the exercise :(

After some research I gather that you can change the privilege levels for some commands using the privilege mode global config command but I can't figure out how to get it to work.

I am getting a Authentication server with time, but the network isn't big enough to warrant the expense right now, hence my need to do it locally.

Philip D'Ath · ‎04-25-2016

I just tried it on a test router here and it worked.

What model router are you using and what software version are you using?