I do not have any ACS server but would like to create 3 usernames for access to certain list of IOS commands in CISCO IOS ver 12.0 using AAA-model. I tried using CISCO search engine but without much success. Appreciate any available tips to help me to configure 3 different users with different privilege in the router.
username xxxxx password xxxx privilege 5
In addition, is there any means in the IOS to facilitate changing of password upon logging into the router ?
Here is an example of using 3 separate levels, MAKE sure you create the usernames first. I like to disable AAA on the console port also, since this is an element of physical security in most cases. If someone has physical access, they can still do a password recovery but this depends on your security requirements.
You must first log out, and then log back into the router following the inclusion of the aaa authorization commands 15 local if-authenticated command.
Syntax may vary somewhat on the AAA commands depending on your version.
username rtr_low privilege 1 password xxxxxxx
username rtr_med privilege 7 password xxxxxxx
username rtr_super privilege 15 password xxxxxx
aaa authentication login default local enable
aaa authentication login NO_AUTHEN none
aaa authorization exec default local if-authenticated
aaa authorization exec NO_AUTHOR none
aaa authorization commands 15 NO_AUTHOR none
aaa authorization commands 1 local if-authenticated
aaa authorization commands 5 local if-authenticated
aaa authorization commands 15 local if-authenticated
line con 0
authorization commands 15 NO_AUTHOR
authorization exec NO_AUTHOR
login authentication NO_AUTHEN
Now you have created 3 sets of command authorization for all users. If you notice, priv 15 users will be taken into priv level 15 automatically without having to enable. This is part of EXEC authorization.
Privilege level 1 and 15 commands are already configured in IOS. You will have to set the level of commands for privilege 5 yourself with this command:
privilege-exec level 5
So to change the level of "sh run" from 15 to 5:
privilege-exec level 5 show running config
Use this to custom configure any of your other commands depending on your requirements.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :