We have multiple sites but we now have the added risk of multiple admins on our routers and switches.
What we would like to do is have a master local password & enable password (encrypted of course) on each device which would only ever be used in dire emergencies and hopefully never. Basically, it would be tucked away.
We would then like to use TACACS via active directory for day to day logging on and configuration so that we can easily add and remove users remotely. We have this running at the moment.
Obviously, when the TACACS users log on, they will see the encrypted privilege 15 secret which I know is not to hard to decrypt with various tools if you are determined.
But what we would like to try and do, is prevent those users doing a write erase or adding/removing the local users. Basically to stop us being locked out of the device.
Can this be done using a lesser privilege level and if so how?
Below is a link that covers details about privilege configuration:
Hope it helps.