Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1657
Views
0
Helpful
8
Replies

Cisco privilege levels

pweinhold
Level 1
Level 1

‎06-30-2009 11:02 AM - last edited on ‎03-25-2019 05:26 PM by Community Manager

I'd like to give some of my users the ability to see the running config (show run) but at the same time restrict them from doing any config changes. I'd thought I might set their privilege level at something more than 1, but less than 15, but I can't find any documentation regarding privilege levels 2-14.

Or am I misunderstanding how the privilege levels are used? For levels 2-14, are they assigned per command, not to a group of users?

Labels:
0 Helpful
8 Replies 8

Collin Clark
VIP Alumni
VIP Alumni

‎06-30-2009 12:58 PM

A show run is difficult because of the other levels involved. Here's a doc that explains it well. Just shout if you need some help setting it up.

http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a00800949d5.shtml

0 Helpful

pweinhold
Level 1
Level 1
In response to Collin Clark

‎07-01-2009 05:36 AM

My testing of this issue is being hampered by our configuration on the vty lines. When we apply our standard config, we set privilege level 15 on the vty lines:

line vty 0 15

privilege level 15

The problem is that when I create a user at a certain privilege level below that and the user accesses the switch via the vty lines, he is automatically granted level 15. Then, when I remove that command from the vty lines, all users who access via the vty lines are set at regular user level, regardless of the privilege level set on their local user account.

Why is that? Are we configuring the vty lines wrong? How can I configure the vty lines so that they recognize the privilege levels set on the local user accounts?

0 Helpful

Collin Clark
VIP Alumni
VIP Alumni
In response to pweinhold

‎07-01-2009 05:44 AM

You'll have to use AAA as jgambhir suggested.

0 Helpful

pweinhold
Level 1
Level 1
In response to Collin Clark

‎07-02-2009 06:04 AM

Collin,

Thanks for the input. So, if I want a user to be able to see the running config (show run) I would configure a local user account at a certain privilege level, then set the "show run" command at the same privilege level, correct? In the Cisco documentation you referenced, this is what they did for user 6.

0 Helpful

Amadou TOURE
Level 1
Level 1
In response to pweinhold

‎07-03-2009 04:25 AM

Hi,

Yes right...and if you don't want the user to execute some other show command, you have to change them to a privilege higher than the one from your local user beacuse most show command are in level 1 so will be inherited by every privilege.

Regards

Please rate helpful posts

0 Helpful

Jagdeep Gambhir
Level 10
Level 10

‎06-30-2009 02:32 PM

What you are trying to achieve is possible using tacacs server.

Please see this link,

http://cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml

Regards,

~JG

Do rate helpful posts

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents