Cisco Support Community
Community Member

AAA on 3660

Is it possible to have a local user only have authorization to a certain set of commands?

I want user x to have access to only:


configure terminal


alias static

no alias static

write memory

Is this possible?

Cisco Employee

Re: AAA on 3660

Yes, this is possible by using the below methods described here using command authorization and assigning the correct privilege level to these users.



Community Member

Re: AAA on 3660

I don't have a CCO account, so I can't read those webpages.

I made a user and assigned him to level 0, then I enter this command:

privilege exec level 0 show gatekeeper endpoints

i write to memory and log back in and the user can still do everything. what am i doing wrong?

Cisco Employee

Re: AAA on 3660

Here's some more info with config example.

aaa new-model

aaa authentication login default [group] local

aaa authorization exec default [group] local

Make sure to create the local user database as follows:

username abc privilege 0 password abc

username xyz privilege 1 password xyz

username special privilege 5 password special

username superuser privilege 15 password super

With the above setup, user abc can execute only disable, enable, exit, help, and logout commands.

User xyz can execute all the level 0 and level 1 commands.

User superuser can execute all the commands on the router.

On the router these are the 3 level of default commands:

-privilege level 0 — includes the disable, enable, exit, help, and logout commands

- privilege level 1 — normal level on Telnet; includes all user-level commands at the router> prompt

- privilege level 15 — includes all enable-level commands at the router#


Now based on your requirement, you can create a priv level bewteen 2-14 and assign any priv level 15 commands (level 0 and 1 would be inherited by default). Here is an example:

With this, user six is only able to execute all the level 0 & 1 commands. If the user need to execute "config t" on the router, he has to add the following line to add this level 15 commans to level 6.

privilege exec level 5 configure terminal

privilege exec level 5 gatekeeper

privilege exec level 5 write memory



CreatePlease to create content