user login control on switches

Unanswered Question

We are setting up local username database on the switches, and would like to separate the admin user into 2 groups, one group has access to the enable mode (EXEC privilege), while the other group cannot, and can only do 'show' commands' like 'sh interface, sh logg' etc. for troubleshooting purpose.


Is there a way to disable the 'enable' command for the second group of admin user?  We want the 2nd group of admin user, even if they find out the enable password, there is no way to enter the EXEC privilege mode.


Thanks.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Reza Sharifi Tue, 01/19/2010 - 12:58
User Badges:
  • Super Bronze, 10000 points or more
  • Cisco Designated VIP,

    2017 LAN

Hello Benny,


You can configure some thing like this:


username joe privilege 3 password joe

privilege exec level 3 show


This way they can do all the show commands and not make any config changes


HTH

Reza

Reza,


Thanks for your reply.


My question is, with your solution, the user will be able to do only the show commands when they do 'enable 2 xxxxxx'  to login in at privilege 2 level.


But if they somehow discover the enable password (for privilege 15), they can jsut do 'enable xxxxxx' and still login to privilege 15. Right?


So, I would like to see if there is way that if an user login to the User privilege mode, they will not be able to type 'enable' at all.  This way, even if they find out the enable password, they will not be able to login to privilege 15 when they login using their username and password.


Thanks.

Ganesh Hariharan Tue, 01/19/2010 - 21:56
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Member's Choice, February 2016

Hi Benny,


When you log in to a Cisco router under the default configuration, you're in user EXEC mode (level 1). From this mode, you have access to some information about the router, such as the status of interfaces, and you can view routes in the routing table. However, you can't make any changes or view the running configuration file.


For your query you can assign them privillage level 3 and configure this command in your router that only particular privillage level can see this command in router.her is the example.


privilege exec level 1 enable
privilege exec level 1 telnet
privilege exec level 1 tunnel
privilege exec level 1 clear
privilege exec level 1 login


With the above example only priviallage level 1 user can view enable,telnet,tunnel only below level that is level 0 cant see above commands in routers.


Hope that clear out your query !!


If helpful do rate the valuable post.


Regards

Ganesh.H

Ganesh Hariharan Tue, 01/19/2010 - 21:57
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Member's Choice, February 2016

Hi Benny,


When you log in to a Cisco router under the default configuration, you're in user EXEC mode (level 1). From this mode, you have access to some information about the router, such as the status of interfaces, and you can view routes in the routing table. However, you can't make any changes or view the running configuration file.


For your query you can assign them privillage level 3 and configure this command in your router that only particular privillage level can see this command in router.her is the example.


privilege exec level 1 enable
privilege exec level 1 telnet
privilege exec level 1 tunnel
privilege exec level 1 clear
privilege exec level 1 login


With the above example only priviallage level 1 user can view enable,telnet,tunnel only below level that is level 0 cant see above commands in routers.


Hope that clear out your query !!


If helpful do rate the valuable post.


Regards

Ganesh.H

Ganesh Hariharan Tue, 01/19/2010 - 21:59
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Member's Choice, February 2016

Hi Benny,


When you log in to a Cisco router under the default configuration, you're in user EXEC mode (level 1). From this mode, you have access to some information about the router, such as the status of interfaces, and you can view routes in the routing table. However, you can't make any changes or view the running configuration file.


For your query you can assign them privillage level 3 and configure this command in your router that only particular privillage level can see this command in router.her is the example.


privilege exec level 1 enable
privilege exec level 1 telnet
privilege exec level 1 tunnel
privilege exec level 1 clear
privilege exec level 1 login


With the above example only priviallage level 1 user can view enable,telnet,tunnel only below level that is level 0 cant see above commands in routers.


Hope that clear out your query !!


If helpful do rate the valuable post.


Regards

Ganesh.H

Ganesh Hariharan Tue, 01/19/2010 - 22:02
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Member's Choice, February 2016

I am sorry i dont know how it has posetd three post for the same thread.


Regards

Ganesh.H

Actions

This Discussion