Level 14 Privilege Level

Folks,

I want to create a username/password with a privilege level of

  1. Creating it is easy enough. It just takes the syntax of 'username cisco privilege 14 password cisco'.

The issue is that I want level 14 to be able to do [almost] anything that the level 15 password can do *except* add/remove/delete/change passwords. At some future point, I might want to restrict some other commands but which other ones are yet to be determined.

I'm not really sure how to go about doing that. Does anyone have any feedback on this? Syntax for the commands would be great if you know it.

The level 14 password is what I want to give to the Smartnet people when I request help on my Smartnet contract.

Can any of you make any suggestions?

Regards,

Fred

Reply to
Fred Atkinson
Loading thread data ...

Been awhile since I messed with these commands, but I think you want to change the level of the commands instead of making exceptions to the levels. In short, and I'm going completely off of a half-memory here, but you can use the

Reply to
Trendkill

Thanks for your help.

Fred

Reply to
Fred Atkinson

I think that the solution to this problem is in setting both the username and enable password commands to level 15 only.

Any feedback?

Fred

Reply to
Fred Atkinson

If you are trying to lockdown account creation as well as password changing...I would concur. Just create a level 14 and test once you make the changes............

Only problem here is then 14s will still be 14s...so any '15' commands that you want them to have access to, you may need to 'lower' to 14.

One other note, if you have TACACs (ACS as its commonly referred), then you can do this via authorization on that, and itll be enterprise so long as you do it by groups, etc.

Reply to
Trendkill

I tried entering '(config)#privilege username' but there is no username option listed when I type 'privilege ?'.

Now I'm not sure how to do this.

Regards,

Fred

Reply to
Fred Atkinson

I thought you were trying to do something like:

privilege exec level 15 username

Did you try that? See my post from earlier with the cisco link, it should have syntax, etc. Good luck.

Reply to
Trendkill

I tried that. It says it doesn't know any command 'username'. Hmmm.

Fred

Reply to
Fred Atkinson

I apologize for not catching this.....

The username command is considered configuration and not execute. Therefore, the syntax is:

privilege configure level 15 username

Let me know how you fair.

Reply to
Trendkill

I executed that command at global configuration mode. Then I logged in under the level 14 password, I couldn't get into global configuration mode.

All I wanted to do was stop level 14 from creating/altering/ deleting passwords. It should have access to everything else.

Regards,

Fred

Reply to
Fred Atkinson

Based on what I am reading, your problem is that level 14 is not defined with any access. By default, only levels 1 and 15 are setup, and 2-14 are reserved for you to setup the access you want these users to have. I apparently was incorrect in thinking that they were already setup, and therefore you would need to add all the commands that you want to allow to level 14, and do not include username. I have always utilized TACACs and handle all my authorizations through that, so I apologize for misleading you. The link below is a good read.

formatting link

Reply to
Trendkill

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.