Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
363
Views
0
Helpful
2
Replies

Privilege levels?

Go to solution
louis0001
Level 3
Level 3

‎09-16-2014 02:03 PM - edited ‎03-07-2019 08:47 PM

We have multiple sites but we now have the added risk of multiple admins on our routers and switches.

What we would like to do is have a master local password & enable password (encrypted of course) on each device which would only ever be used in dire emergencies and hopefully never. Basically, it would be tucked away.

We would then like to use TACACS via active directory for day to day logging on and configuration so that we can easily add and remove users remotely. We have this running at the moment.
Obviously, when the TACACS users log on, they will see the encrypted privilege 15 secret which I know is not to hard to decrypt with various tools if you are determined.

But what we would like to try and do, is prevent those users doing a write erase or adding/removing the local users. Basically to stop us being locked out of the device.

Can this be done using a lesser privilege level and if so how?

 

regards,

Louis

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jose Solano
Level 4
Level 4

‎09-16-2014 08:07 PM

Hi,

 

Below is a link that covers details about privilege configuration:

 

http://www.cisco.com/c/en/us/support/docs/security-vpn/terminal-access-controller-access-control-system-tacacs-/23383-showrun.html

 

Hope it helps.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Jose Solano
Level 4
Level 4

‎09-16-2014 08:07 PM

Hi,

 

Below is a link that covers details about privilege configuration:

 

http://www.cisco.com/c/en/us/support/docs/security-vpn/terminal-access-controller-access-control-system-tacacs-/23383-showrun.html

 

Hope it helps.

0 Helpful

Go to solution
louis0001
Level 3
Level 3
In response to Jose Solano

‎09-16-2014 10:45 PM

Thank you. Looking at the line below, I guess I will try level 14 to see what that yields and then take it from there. Very good and simple article.

  • User poweruser is able to to Telnet in and execute the show run command. This user is at level 15, and is able to see all commands. All commands are at or below level 15; users at this level can also view and control usernames and passwords.

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card