Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

user login control on switches

We are setting up local username database on the switches, and would like to separate the admin user into 2 groups, one group has access to the enable mode (EXEC privilege), while the other group cannot, and can only do 'show' commands' like 'sh interface, sh logg' etc. for troubleshooting purpose.

Is there a way to disable the 'enable' command for the second group of admin user?  We want the 2nd group of admin user, even if they find out the enable password, there is no way to enter the EXEC privilege mode.

Thanks.

6 REPLIES
VIP Super Bronze

Re: user login control on switches

Hello Benny,

You can configure some thing like this:

username joe privilege 3 password joe

privilege exec level 3 show

This way they can do all the show commands and not make any config changes

HTH

Reza

New Member

Re: user login control on switches

Reza,

Thanks for your reply.

My question is, with your solution, the user will be able to do only the show commands when they do 'enable 2 xxxxxx'  to login in at privilege 2 level.

But if they somehow discover the enable password (for privilege 15), they can jsut do 'enable xxxxxx' and still login to privilege 15. Right?

So, I would like to see if there is way that if an user login to the User privilege mode, they will not be able to type 'enable' at all.  This way, even if they find out the enable password, they will not be able to login to privilege 15 when they login using their username and password.

Thanks.

Re: user login control on switches

Hi Benny,

When you log in to a Cisco router under the default configuration, you're in user EXEC mode (level 1). From this mode, you have access to some information about the router, such as the status of interfaces, and you can view routes in the routing table. However, you can't make any changes or view the running configuration file.

For your query you can assign them privillage level 3 and configure this command in your router that only particular privillage level can see this command in router.her is the example.

privilege exec level 1 enable
privilege exec level 1 telnet
privilege exec level 1 tunnel
privilege exec level 1 clear
privilege exec level 1 login

With the above example only priviallage level 1 user can view enable,telnet,tunnel only below level that is level 0 cant see above commands in routers.

Hope that clear out your query !!

If helpful do rate the valuable post.

Regards

Ganesh.H

Re: user login control on switches

Hi Benny,

When you log in to a Cisco router under the default configuration, you're in user EXEC mode (level 1). From this mode, you have access to some information about the router, such as the status of interfaces, and you can view routes in the routing table. However, you can't make any changes or view the running configuration file.

For your query you can assign them privillage level 3 and configure this command in your router that only particular privillage level can see this command in router.her is the example.

privilege exec level 1 enable
privilege exec level 1 telnet
privilege exec level 1 tunnel
privilege exec level 1 clear
privilege exec level 1 login

With the above example only priviallage level 1 user can view enable,telnet,tunnel only below level that is level 0 cant see above commands in routers.

Hope that clear out your query !!

If helpful do rate the valuable post.

Regards

Ganesh.H

Re: user login control on switches

Hi Benny,

When you log in to a Cisco router under the default configuration, you're in user EXEC mode (level 1). From this mode, you have access to some information about the router, such as the status of interfaces, and you can view routes in the routing table. However, you can't make any changes or view the running configuration file.

For your query you can assign them privillage level 3 and configure this command in your router that only particular privillage level can see this command in router.her is the example.

privilege exec level 1 enable
privilege exec level 1 telnet
privilege exec level 1 tunnel
privilege exec level 1 clear
privilege exec level 1 login

With the above example only priviallage level 1 user can view enable,telnet,tunnel only below level that is level 0 cant see above commands in routers.

Hope that clear out your query !!

If helpful do rate the valuable post.

Regards

Ganesh.H

Re: user login control on switches

I am sorry i dont know how it has posetd three post for the same thread.

Regards

Ganesh.H

641
Views
0
Helpful
6
Replies
CreatePlease to create content