09-24-2007 05:45 AM - edited 03-05-2019 06:40 PM
Hi All,
What I want to achieve is to give enable access to 2 different user groups (ie full rights) and NO tacacs is available.
I require one user to have enable rights to one switch only, but at the same time give enable rights to the 'network community' (who have access to all switches and routers in the network, including this specific switch). The network community (ie network engineers) use their standard username and password and enable password, ie same for all switches/routers in the network).
I do not want to give out the 'network communities' enable password to this one users.
Allowing 2 different usernames is no problem, but I want each of these usernames to have different enable passwords, is this possible?
Thanks in advance,
regards
mark
09-24-2007 06:30 AM
You cannot set different enable passwords for each user. But what you can do is allow different users different levels of privilege. For example, you could configure your trusted users to have privilege level 15 as soon as they log in, even without the enable password, but your untrusted users come in with a privilege level 1.
So, don't divulge the enable password to anyone, but just let your different users access the box with their appropriate privelege levels with just their login passwords.
Kevin Dorrell
Luxembourg
09-24-2007 06:42 AM
Mark
I like Kevin's approach but I have a slight variation of it to offer. If I understand correctly you already have a community of network engineers who have enable access (privilege level access) on all network routers and switches. And it sounds like you are doing login local for authentication. You want to give a single user enable access on a single device. What about configuring a userID for that specific user on that specific device which sets that users privilege level to 15. When that user logs in they should immediately to to privilege level access without needing any enable password.
HTH
Rick
09-24-2007 07:54 AM
Hi Rick,
Yes I tried this earlier, but the user still has to type enable and then the appropriate enable password.
The switch is running v12.2(25).
The config I used as an example is:
username fred privilege 15 password 0 fred
When username fred and password fred is used, the user goes to normal prompt, he then has type enable and appropriate password.
Am I doing something basically incorrect here?
Appreciate help.
regards
mark
09-24-2007 08:01 AM
Puzzled. What does the rest of your line vty config look like?
Kevin Dorrell
Luxembourg
09-24-2007 08:15 AM
Hi Kevin,
The vty line is:
line vty 0 4
exec-timeout 60 0
escape-character 3
The username and password pair I mentioned earlier are under global command.
regards
Mark
09-24-2007 07:46 AM
Hi Kevin,
Thanks for responding.
How do I allow a user to go straight to enable mode, just by using their login username/password pair?
Thanks
Mark
09-24-2007 07:54 AM
Just after their username command, add the keyword privilege 15
Oh, and you might like to change the keyword password to secret.
Kevin Dorrell
Luxembourg
09-24-2007 09:10 AM
Mark
I am surprised that configuring a username with privilege 15 did not work. What kind of switch is this? Would it be possible to post the switch config (masking IP addresses or other sensitive items)?
HTH
Rick
09-24-2007 10:36 AM
Hi Rick,
The config pertaining to this issue is as below.
However, if we give a user a privilege of 15, doesn't this just mean that this user has access to all levels and therefore all commands, it does not mean that after they have been correctly authenticated they will automatically be presented with the enable prompt?
!
username fred privilege 15 password 0 fred
enable password test
!
line vty 0 4
exec-timeout 60 0
escape-character 3
!
regards
Mark
09-24-2007 10:56 AM
Mark
I do not quite understand what you are asking when you say:
doesn't this just mean that this user has access to all levels and therefore all commands, it does not mean that after they have been correctly authenticated they will automatically be presented with the enable prompt?
Given the configuration that we are talking about if someone logs in using name fred and password fred then I would expect them to go directly to level 15 access (enable access or privilege access depending on which term you prefer) without going through the enable password. Is using the correct name and the correct password enough to be correctly authenticated?
I would expect that the configuration that you posted should work. If it does not work then either there is something different about the particular switch you are using or its particular version of code, or there is some other part of the config that impacts this.
HTH
Rick
09-24-2007 12:12 PM
Hi Rick,
Its sorted.
The problem was (as you rightly alluded to)that I had previously configured login via tacacs and after getting it to work, I then removed the tacacs rule on the firewall (which had previously allowed tacacs port through).
I then relied on the backup login method (which was local to switch). But using user with privilege 15 just did not work - as mentioned above. I then deleted old tacacs login and it all worked fine.
Thanks for your help and Kevins (previous responder)
regards
Mark
09-24-2007 12:53 PM
Mark
I am glad that you have it sorted out. Thanks for posting back and indicating that it was solved and what the solution is (and thanks for the rating). It makes the forum more useful when people can read about a problem and can read what solved the problem.
I encourage you to continue your participation in the forum.
HTH
Rick
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: