Solved

Multiple Enable Passwords

Posted on 2014-01-27
5
736 Views
Last Modified: 2014-06-11
I have maintenance logging into some switches through RADIUS.  However, for them to clear the arp table or transfer backups to a TFTP they must supply the enable password.  The enable password is level 15 (aka. root)  

What command would I run to assign multiple enable secrets passwords?  The level of security should not allow them to change/view passwords, which level is recommended?

Also, if the maintenance technician is consoled in locally on the switch, they must use the line con 0 password.  How can I have two passwords for the local authentication CONSOLE?

service password-encryption
no service dhcp
!
hostname SWI-03
!
boot-start-marker
boot-end-marker
!
!
no logging console
enable secret 5 $1$IaE9$31DWtrm/3StsIdZa67KIG/
!
username admin privilege 15 secret 5 $1$tB4B$j3zhhetCZtoK0N031w3Z5/
aaa new-model
!
!
aaa group server radius ATMS-RADIUS
 server name DC1
 server name DC2
!
aaa authentication login default group ATMS-RADIUS local-case
aaa authentication login CONSOLE line
!

!
!
!
line con 0
 password 7 12345544004A185428
 login authentication CONSOLE
line vty 0 4
 session-timeout 60
 exec-timeout 60 0
 transport input ssh
 transport output all
line vty 5 15
 session-timeout 60
 exec-timeout 60 0
 transport input ssh
 transport output all

Open in new window

0
Comment
Question by:zfish
5 Comments
 
LVL 28

Expert Comment

by:Jan Springer
ID: 39812655
there is but one enable secret password.  you need to assign priv levels to accounts that allow what you are trying to accomplish.
0
 

Author Comment

by:zfish
ID: 39813107
What would be an example of the command for a prv level that could accomplish backups and clear arp?
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 39813164
This is an excellent link that defines how to create specific commands for priv levels.  I like their use of priv 5:

https://supportforums.cisco.com/docs/DOC-14710
0
 
LVL 11

Accepted Solution

by:
Miftaul earned 250 total points
ID: 39815144
Privilege level 1 to 14 are custom privilege levels. Privilege 0 is most limited and Privilege 15 has full access to the router. We can create the users accounts in different Privilege levels and assign specific commands associated to those privilege levels. I usually do it like below.

R2(config)#username UserA Privilege 15 secret UserAPassword
R2(config)#username UserB Privilege 0 secret UserBPassword
R2(config)#username UserC Privilege 5 secret UserCPassword
R2(config)#Privilege exec level 5 ssh
R2(config)#Privilege exec level 5 ping

Once Privelege levels are set, we associate that to the Line VTY's and Line Console like below.

R2(config)#line console 0
R2(config-line)#login local
R2(config-line)#exec-timeout 5 0
R2(config-line)#exit

R2(config)#line vty 0 15
R2(config-line)#login local
R2(config-line)#exec-timeout 5 0
R2(config-line)#exit

Now, UserA has full access, UserB is a limited account and UserC is a limited administrator and allowed to run SSH and Ping
0
 
LVL 17

Assisted Solution

by:MAG03
MAG03 earned 250 total points
ID: 39816228
This is possible when using "parser views".  

Just remember that when the technician logs in he needs to enter the view name in addition to the enable command...for example:

enable view view_name

To enable a view and associate allowed commands with it, issue the following commands the following will allow the user to only issue the show running-configuration command:

parser view view_name

secret PASSWORD
command exec include show running-configuration

http://www.cisco.com/en/US/docs/ios/12_3t/12_3t7/feature/guide/gtclivws.html
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now