×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Privilege levels?

Answered Question
Sep 16th, 2014
User Badges:

We have multiple sites but we now have the added risk of multiple admins on our routers and switches.

What we would like to do is have a master local password & enable password (encrypted of course) on each device which would only ever be used in dire emergencies and hopefully never. Basically, it would be tucked away.

We would then like to use TACACS via active directory for day to day logging on and configuration so that we can easily add and remove users remotely. We have this running at the moment.
Obviously, when the TACACS users log on, they will see the encrypted privilege 15 secret which I know is not to hard to decrypt with various tools if you are determined.

But what we would like to try and do, is prevent those users doing a write erase or adding/removing the local users. Basically to stop us being locked out of the device.

Can this be done using a lesser privilege level and if so how?

 

regards,

Louis

Correct Answer by Jose Solano about 2 years 11 months ago

Hi,

 

Below is a link that covers details about privilege configuration:

 

http://www.cisco.com/c/en/us/support/docs/security-vpn/terminal-access-c...

 

Hope it helps.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
louis0001 Tue, 09/16/2014 - 22:45
User Badges:

Thank you. Looking at the line below, I guess I will try level 14 to see what that yields and then take it from there. Very good and simple article.

  • User poweruser is able to to Telnet in and execute the show run command. This user is at level 15, and is able to see all commands. All commands are at or below level 15; users at this level can also view and control usernames and passwords.

 

Actions

This Discussion