cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1420
Views
7
Helpful
12
Replies

different 'enable' passwords?

mark-bear
Level 1
Level 1

Hi All,

What I want to achieve is to give enable access to 2 different user groups (ie full rights) and NO tacacs is available.

I require one user to have enable rights to one switch only, but at the same time give enable rights to the 'network community' (who have access to all switches and routers in the network, including this specific switch). The network community (ie network engineers) use their standard username and password and enable password, ie same for all switches/routers in the network).

I do not want to give out the 'network communities' enable password to this one users.

Allowing 2 different usernames is no problem, but I want each of these usernames to have different enable passwords, is this possible?

Thanks in advance,

regards

mark

12 Replies 12

Kevin Dorrell
Level 10
Level 10

You cannot set different enable passwords for each user. But what you can do is allow different users different levels of privilege. For example, you could configure your trusted users to have privilege level 15 as soon as they log in, even without the enable password, but your untrusted users come in with a privilege level 1.

http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_command_reference_chapter09186a008041a596.html#wp1184201

So, don't divulge the enable password to anyone, but just let your different users access the box with their appropriate privelege levels with just their login passwords.

Kevin Dorrell

Luxembourg

Mark

I like Kevin's approach but I have a slight variation of it to offer. If I understand correctly you already have a community of network engineers who have enable access (privilege level access) on all network routers and switches. And it sounds like you are doing login local for authentication. You want to give a single user enable access on a single device. What about configuring a userID for that specific user on that specific device which sets that users privilege level to 15. When that user logs in they should immediately to to privilege level access without needing any enable password.

HTH

Rick

HTH

Rick

Hi Rick,

Yes I tried this earlier, but the user still has to type enable and then the appropriate enable password.

The switch is running v12.2(25).

The config I used as an example is:

username fred privilege 15 password 0 fred

When username fred and password fred is used, the user goes to normal prompt, he then has type enable and appropriate password.

Am I doing something basically incorrect here?

Appreciate help.

regards

mark

Puzzled. What does the rest of your line vty config look like?

Kevin Dorrell

Luxembourg

Hi Kevin,

The vty line is:

line vty 0 4

exec-timeout 60 0

escape-character 3

The username and password pair I mentioned earlier are under global command.

regards

Mark

Hi Kevin,

Thanks for responding.

How do I allow a user to go straight to enable mode, just by using their login username/password pair?

Thanks

Mark

Just after their username command, add the keyword privilege 15

Oh, and you might like to change the keyword password to secret.

Kevin Dorrell

Luxembourg

Mark

I am surprised that configuring a username with privilege 15 did not work. What kind of switch is this? Would it be possible to post the switch config (masking IP addresses or other sensitive items)?

HTH

Rick

HTH

Rick

Hi Rick,

The config pertaining to this issue is as below.

However, if we give a user a privilege of 15, doesn't this just mean that this user has access to all levels and therefore all commands, it does not mean that after they have been correctly authenticated they will automatically be presented with the enable prompt?

!

username fred privilege 15 password 0 fred

enable password test

!

line vty 0 4

exec-timeout 60 0

escape-character 3

!

regards

Mark

Mark

I do not quite understand what you are asking when you say:

doesn't this just mean that this user has access to all levels and therefore all commands, it does not mean that after they have been correctly authenticated they will automatically be presented with the enable prompt?

Given the configuration that we are talking about if someone logs in using name fred and password fred then I would expect them to go directly to level 15 access (enable access or privilege access depending on which term you prefer) without going through the enable password. Is using the correct name and the correct password enough to be correctly authenticated?

I would expect that the configuration that you posted should work. If it does not work then either there is something different about the particular switch you are using or its particular version of code, or there is some other part of the config that impacts this.

HTH

Rick

HTH

Rick

Hi Rick,

Its sorted.

The problem was (as you rightly alluded to)that I had previously configured login via tacacs and after getting it to work, I then removed the tacacs rule on the firewall (which had previously allowed tacacs port through).

I then relied on the backup login method (which was local to switch). But using user with privilege 15 just did not work - as mentioned above. I then deleted old tacacs login and it all worked fine.

Thanks for your help and Kevins (previous responder)

regards

Mark

Mark

I am glad that you have it sorted out. Thanks for posting back and indicating that it was solved and what the solution is (and thanks for the rating). It makes the forum more useful when people can read about a problem and can read what solved the problem.

I encourage you to continue your participation in the forum.

HTH

Rick

HTH

Rick
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco