JORGE RODRIGUEZ Wed, 04/29/2009 - 16:11
User Badges:
  • Green, 3000 points or more

Colm,


I do not have the list handy for all the priviledge level 0-15 specification, perhaps someone could provide that link.


I do know however that using proviledge level 5 will only give the user the ability to issue and its subcommands except for show runnung-config or show startup-config , all other show subcommands can be issued.


You can use for that priv level 5


username privilege 5 password



line vty 0 4

login local


line vty 5 15

login local


http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_50_se/configuration/guide/swauthen.html#wp1154063




Regards

The only two levels defined by default are:


Level 0: User exec mode

Level 15: Privileged Exec (enable) mode


Levels 1-14 are UNDEFINED, by default. You have to manually define commands for each of these levels.


Please note you will have issues with commands like show running-config, because the commands shown in the config might be blocked by priviledged level.


If you had an ACS server, you could give that user level 15 access then RESTRICT the commands they are able to use to the subset you require.


Here are some helpful links:


http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/scfpass.html


http://www.cisco.com/en/US/docs/ios/12_2t/12_2t13/feature/guide/ftprienh.html





Gerard Roy Wed, 08/26/2009 - 11:47
User Badges:

Making show running-config a separate level 15 command was just STUPID Cisco. WTF were you thinking? You already created all these priviledge levels so why not just let us assign what we want at the privledge we set? Dumb Asses. So how do I give our PCI auditors READ ONLY access to see the running config?

damoy Fri, 04/16/2010 - 14:36
User Badges:

Do your PCI auditors need to see the running config?  Or would the start-up config be sufficient?  If so you can just do:



username test privilege 3 password 0 test
privilege exec level 3 show startup-config
Then "show startup" should give them what they need.

I believe "show run" is more of a configuration (verification) command, while "show start" is more for the read-only user.
Hope this helps.

Actions

This Discussion