cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1242
Views
9
Helpful
15
Replies

USERS on a router

a.shaukat
Level 1
Level 1

i want to allow 2 users with view only priviledges.. or allow ping at most...

how do i do that..

these users willl connect via telnet ..

i created the user with 0 level priviledge ..

but how do i get the router to ask for the username ..

right now if i telnet the router it asks for a password and brings me to the enable prompt....

any help....???

1 Accepted Solution

Accepted Solutions

Hi Atif,

After some trials, i don't think that you can force the router to go for vty line 5, while lines 0-4 are not busy, but lets think outside the box, why would you need this, why not using "login local" on all the lines, while having 2 privileges, for example 3 and 15.

The use of the ACL under the VTYs, was generally proposed to secure the VTYs and not for the purpose you are trying.

HTH,

Mohammed Mahmoud.

View solution in original post

15 Replies 15

mohammedmahmoud
Level 11
Level 11

Hi,

You'll need:

username xxxx privilege x password xxxxxx

privilege exec all level x show

line vty 0 4

login local

NOTE: The user will be able to do any show, except "show running-config".

HTH,

Mohammed Mahmoud.

Hi mahmoud.. how r u . nice to see u again..

yea i figured that out ..

i set priviledge 3 on that user with show and ping command.. also on the vty lines i set login local..

now that has the router prompting for the username and password the way i wanted...

but now is there anyway that i can use the enable password ?? cause its asking for a username....

hi,

one more thing i was wondering

i have vty lines from 0 4 set with login

and vty lines 5 15 set with login local

when i telnet to this router i am telneting to vty lines 0 4 right ???

is there any way that i can have a user to telnet to the 5 to 15 vty lies and have them prompted for username.

**********************************

line vty 0 4

privilege level 15

password 7 154656776867E

login

transport input telnet

line vty 5 15

privilege level 15

login local

transport input telnet

************************************

Hi Atif,

Nice to c u back :)

You can make use of access-class command and restrict the access to your router and tell the router which ip is authorized to access which vty:

access-list 2 permit x.x.x.x

line vty 0 4

access-class 2 in

Where x.x.x.x is the ip which you need to allow on vty 0 4.

HTH,

Mohammed Mahmoud.

hmmm ok

ill keep the vty line 5 15 on "login" instead of "login local" with the "access-class" command for MY IP so that i can use that for administrative purpose (using the enable password).

And ill keep vty lines 0 4 on "login local" so that anyone else connecting should get the username and password prompt.

just one quick thing ... after all the above when i connect from MY IP, will it check the ACL and both VTY line's config before giving me the prompt ??

il try it out anyways :p .. thanks again...

didnt work... :-(

how and when is the line vty 5 15 used ????

Hi Atif,

You are right, it shouldn't work this way i've overlooked a fact that the router won't use line 5 until lines 0-4 are busy, let me think about a different method for you.

HTH,

Mohammed Mahmoud.

Hi Atif,

After some trials, i don't think that you can force the router to go for vty line 5, while lines 0-4 are not busy, but lets think outside the box, why would you need this, why not using "login local" on all the lines, while having 2 privileges, for example 3 and 15.

The use of the ACL under the VTYs, was generally proposed to secure the VTYs and not for the purpose you are trying.

HTH,

Mohammed Mahmoud.

i was thining that i would keep the enable password for my own use and give the shift administrator the level 3 access...

instead of creating 2 local accounts i would this way have to only keep 1 account for the shift administrator.. .. but anyways i guess ill have to keep login local and create 2 accounts ..

:-) appreciate the help thou.. thanks .

see u later in another issue.. lol

Hi ,

You are very welcomed :)

BR,

Mohammed Mahmoud.

Hi,

After digging around, i finally found you a solution :)

line vty 0 4

rotary 1

login local

and telnet to TCP port 3001.

line vty 5 15

rotary 2

password cisco

login

and telnet to TCP port 3002.

I've tested it and its fully operational, and you can add the access-list for more security.

HTH,

Mohammed Mahmoud.

Can anyone please explain this "Interface Vi2 to me ??

Dawlance_HO#sh users

Line User Host Idle Location

* vty 322 admin idle 00:00:00 172.16.0.2

Interface User Mode Idle Peer Address

Vi PPPoE 00:05:32 202.163.110.250

Hi,

interface vi2, is called Virtual-access interface, its a dynamic cloned interface from the virtual template interface configured interface, it is dynamically created when the PPPoE session is to be terminated on this router to inherit the configuration under the virtual template interface.

Virtual template interfaces can be created and applied by various applications such as Virtual Profiles, virtual private dialup networks (VPDN), PPP over ATM, PPP over Frame Relay, protocol translation, and Multichassis Multilink PPP (MMP).

HTH,

Mohammed Mahmoud.

thanks mahmoud

please do find a way for this ...

also is there any way to comment a configuration line for eg. if i want to diable a line for a while and not delete it..

! is this it ??

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco