Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Cisco privilege levels

I'd like to give some of my users the ability to see the running config (show run) but at the same time restrict them from doing any config changes. I'd thought I might set their privilege level at something more than 1, but less than 15, but I can't find any documentation regarding privilege levels 2-14.

Or am I misunderstanding how the privilege levels are used? For levels 2-14, are they assigned per command, not to a group of users?

8 REPLIES

Re: Cisco privilege levels

A show run is difficult because of the other levels involved. Here's a doc that explains it well. Just shout if you need some help setting it up.

http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a00800949d5.shtml

New Member

Re: Cisco privilege levels

My testing of this issue is being hampered by our configuration on the vty lines. When we apply our standard config, we set privilege level 15 on the vty lines:

line vty 0 15

privilege level 15

The problem is that when I create a user at a certain privilege level below that and the user accesses the switch via the vty lines, he is automatically granted level 15. Then, when I remove that command from the vty lines, all users who access via the vty lines are set at regular user level, regardless of the privilege level set on their local user account.

Why is that? Are we configuring the vty lines wrong? How can I configure the vty lines so that they recognize the privilege levels set on the local user accounts?

Re: Cisco privilege levels

You'll have to use AAA as jgambhir suggested.

New Member

Re: Cisco privilege levels

Collin,

Thanks for the input. So, if I want a user to be able to see the running config (show run) I would configure a local user account at a certain privilege level, then set the "show run" command at the same privilege level, correct? In the Cisco documentation you referenced, this is what they did for user 6.

New Member

Re: Cisco privilege levels

Hi,

Yes right...and if you don't want the user to execute some other show command, you have to change them to a privilege higher than the one from your local user beacuse most show command are in level 1 so will be inherited by every privilege.

Regards

Please rate helpful posts

Re: Cisco privilege levels

What you are trying to achieve is possible using tacacs server.

Please see this link,

http://cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml

Regards,

~JG

Do rate helpful posts

739
Views
0
Helpful
8
Replies
CreatePlease to create content