Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Two different "enable secret level 15" for console-access?


we are using tacacs while normal operation but we want to be able to have two console passwords for troubleshooting if connectivity is lost

In many cases we are not onsite in case of an error and in such a situation we want to give a temporary access to any other person (eg. the customer technician or any other technician of our enterprise who drives to the customer). This specific password will be changed afterwards but we do not want to give this person our own console-password which is the same on all boxes, else we would need to change our password every week on every box.

Is there any solution for having two different passwords with completely full authorization (full rights) without connectivity to a tacacs-server?



  • AAA Identity and NAC

Re: Two different "enable secret level 15" for console-access?

If you are using aaa new-model for authenticating users on the cisco box, you can define a user with level 15 access with the user command:

username test-user privilege 15 password ...

The you can modify the aaa authentication command to check first the tacacs server then the local username database in case the tacacs server is unreachable:

aaa authentication login default group tacacs+ local

As long as the tacacs server is reachable the local password is not checked, so all logins are authenticated by the server.

New Member

Re: Two different "enable secret level 15" for console-access?

This is also what I thought, but at the moment I have the problem that if I enter the following config-commands I do not automatically enter privilege level 15 after the login. So the user still needs a enable-password for getting privilege15.

aaa authentication login console local

aaa authorization exec console local

username test privilege 15 password test

line con 0

authorization exec console

login authentication console

The user test still gets only the privilege-level 1 and not 15. So the user test still needs my enable secret password for level 15-commands which is not what I wanted.



This widget could not be displayed.