Solved

Multiple Enable Passwords

Posted on 2014-01-27
5
702 Views
Last Modified: 2014-06-11
I have maintenance logging into some switches through RADIUS.  However, for them to clear the arp table or transfer backups to a TFTP they must supply the enable password.  The enable password is level 15 (aka. root)  

What command would I run to assign multiple enable secrets passwords?  The level of security should not allow them to change/view passwords, which level is recommended?

Also, if the maintenance technician is consoled in locally on the switch, they must use the line con 0 password.  How can I have two passwords for the local authentication CONSOLE?

service password-encryption
no service dhcp
!
hostname SWI-03
!
boot-start-marker
boot-end-marker
!
!
no logging console
enable secret 5 $1$IaE9$31DWtrm/3StsIdZa67KIG/
!
username admin privilege 15 secret 5 $1$tB4B$j3zhhetCZtoK0N031w3Z5/
aaa new-model
!
!
aaa group server radius ATMS-RADIUS
 server name DC1
 server name DC2
!
aaa authentication login default group ATMS-RADIUS local-case
aaa authentication login CONSOLE line
!

!
!
!
line con 0
 password 7 12345544004A185428
 login authentication CONSOLE
line vty 0 4
 session-timeout 60
 exec-timeout 60 0
 transport input ssh
 transport output all
line vty 5 15
 session-timeout 60
 exec-timeout 60 0
 transport input ssh
 transport output all

Open in new window

0
Comment
Question by:zfish
5 Comments
 
LVL 28

Expert Comment

by:Jan Springer
ID: 39812655
there is but one enable secret password.  you need to assign priv levels to accounts that allow what you are trying to accomplish.
0
 

Author Comment

by:zfish
ID: 39813107
What would be an example of the command for a prv level that could accomplish backups and clear arp?
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 39813164
This is an excellent link that defines how to create specific commands for priv levels.  I like their use of priv 5:

https://supportforums.cisco.com/docs/DOC-14710
0
 
LVL 11

Accepted Solution

by:
Miftaul earned 250 total points
ID: 39815144
Privilege level 1 to 14 are custom privilege levels. Privilege 0 is most limited and Privilege 15 has full access to the router. We can create the users accounts in different Privilege levels and assign specific commands associated to those privilege levels. I usually do it like below.

R2(config)#username UserA Privilege 15 secret UserAPassword
R2(config)#username UserB Privilege 0 secret UserBPassword
R2(config)#username UserC Privilege 5 secret UserCPassword
R2(config)#Privilege exec level 5 ssh
R2(config)#Privilege exec level 5 ping

Once Privelege levels are set, we associate that to the Line VTY's and Line Console like below.

R2(config)#line console 0
R2(config-line)#login local
R2(config-line)#exec-timeout 5 0
R2(config-line)#exit

R2(config)#line vty 0 15
R2(config-line)#login local
R2(config-line)#exec-timeout 5 0
R2(config-line)#exit

Now, UserA has full access, UserB is a limited account and UserC is a limited administrator and allowed to run SSH and Ping
0
 
LVL 17

Assisted Solution

by:MAG03
MAG03 earned 250 total points
ID: 39816228
This is possible when using "parser views".  

Just remember that when the technician logs in he needs to enter the view name in addition to the enable command...for example:

enable view view_name

To enable a view and associate allowed commands with it, issue the following commands the following will allow the user to only issue the show running-configuration command:

parser view view_name

secret PASSWORD
command exec include show running-configuration

http://www.cisco.com/en/US/docs/ios/12_3t/12_3t7/feature/guide/gtclivws.html
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now