I work in a facility that has some strict access control requirements. I am looking for a way to log into a Cisco router that requires two usernames and passwords to access the privilege level. Does anyone know of any way to do this? I can't seem to find anything that could do this.
Thanks for you reply. I'm not sure it's exactly what I'm looking for. Perhaps I should give an example to clarify:
-A user connects to the router or switch, by vty or console.
-The user enters his username and password (i.e. 'user1' and 'pass1')
-At this point the user can do regular commands that are allowed for the exec level, but not privileged level commands.
-When the user wants to switch to privileged exec mode, he should not be able to do this himself. He should require another user login as well (i.e. 'user2' and 'pass2'). Then privileged level access is allowed.
-The reverse is also true. If user2 logs in, he does not have privileged level access and requires user1 to also log in.
The above situation requires that two people must agree before privileged level is reached. It is like requiring two people to agree before launching a nuclear missile, etc. As I mentioned, our access control requirements are very strict.
Ok,here's how you can setup privilege levels for different users,
aaa authentication login default [group] local
aaa authorization exec default [group] local
Make sure to create the local user database as follows:
username abc privilege 0 password abc
username xyz privilege 1 password xyz
username special privilege 5 password special
username superuser privilege 15 password super
With the above setup, user abc can execute only disable, enable, exit, help, and logout commands.
User xyz can execute all the level 0 and level 1 commands.
User superuser can execute all the commands on the router.
On the router these are the 3 level of default commands:
-privilege level 0 includes the disable, enable, exit, help, and logout commands
- privilege level 1 normal level on Telnet; includes all user-level commands at the router> prompt
- privilege level 15 includes all enable-level commands at the router#
Now based on your requirement, you can create a priv level bewteen 2-14 and assign any priv level 15 commands (level 0 and 1 would be inherited by default). Here is an example:
With this, user six is only able to execute all the level 0 & 1 commands. If the user need to execute "config t" on the router, he has to add the following line to add this level 15 commans to level 6.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :