Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Multiple Enable Passwords

Posted on 2014-01-27
5
Medium Priority
?
1,079 Views
Last Modified: 2014-06-11
I have maintenance logging into some switches through RADIUS.  However, for them to clear the arp table or transfer backups to a TFTP they must supply the enable password.  The enable password is level 15 (aka. root)  

What command would I run to assign multiple enable secrets passwords?  The level of security should not allow them to change/view passwords, which level is recommended?

Also, if the maintenance technician is consoled in locally on the switch, they must use the line con 0 password.  How can I have two passwords for the local authentication CONSOLE?

service password-encryption
no service dhcp
!
hostname SWI-03
!
boot-start-marker
boot-end-marker
!
!
no logging console
enable secret 5 $1$IaE9$31DWtrm/3StsIdZa67KIG/
!
username admin privilege 15 secret 5 $1$tB4B$j3zhhetCZtoK0N031w3Z5/
aaa new-model
!
!
aaa group server radius ATMS-RADIUS
 server name DC1
 server name DC2
!
aaa authentication login default group ATMS-RADIUS local-case
aaa authentication login CONSOLE line
!

!
!
!
line con 0
 password 7 12345544004A185428
 login authentication CONSOLE
line vty 0 4
 session-timeout 60
 exec-timeout 60 0
 transport input ssh
 transport output all
line vty 5 15
 session-timeout 60
 exec-timeout 60 0
 transport input ssh
 transport output all

Open in new window

0
Comment
Question by:zfish
5 Comments
 
LVL 29

Expert Comment

by:Jan Springer
ID: 39812655
there is but one enable secret password.  you need to assign priv levels to accounts that allow what you are trying to accomplish.
0
 

Author Comment

by:zfish
ID: 39813107
What would be an example of the command for a prv level that could accomplish backups and clear arp?
0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 39813164
This is an excellent link that defines how to create specific commands for priv levels.  I like their use of priv 5:

https://supportforums.cisco.com/docs/DOC-14710
0
 
LVL 11

Accepted Solution

by:
Miftaul earned 1000 total points
ID: 39815144
Privilege level 1 to 14 are custom privilege levels. Privilege 0 is most limited and Privilege 15 has full access to the router. We can create the users accounts in different Privilege levels and assign specific commands associated to those privilege levels. I usually do it like below.

R2(config)#username UserA Privilege 15 secret UserAPassword
R2(config)#username UserB Privilege 0 secret UserBPassword
R2(config)#username UserC Privilege 5 secret UserCPassword
R2(config)#Privilege exec level 5 ssh
R2(config)#Privilege exec level 5 ping

Once Privelege levels are set, we associate that to the Line VTY's and Line Console like below.

R2(config)#line console 0
R2(config-line)#login local
R2(config-line)#exec-timeout 5 0
R2(config-line)#exit

R2(config)#line vty 0 15
R2(config-line)#login local
R2(config-line)#exec-timeout 5 0
R2(config-line)#exit

Now, UserA has full access, UserB is a limited account and UserC is a limited administrator and allowed to run SSH and Ping
0
 
LVL 17

Assisted Solution

by:Marius Gunnerud
Marius Gunnerud earned 1000 total points
ID: 39816228
This is possible when using "parser views".  

Just remember that when the technician logs in he needs to enter the view name in addition to the enable command...for example:

enable view view_name

To enable a view and associate allowed commands with it, issue the following commands the following will allow the user to only issue the show running-configuration command:

parser view view_name

secret PASSWORD
command exec include show running-configuration

http://www.cisco.com/en/US/docs/ios/12_3t/12_3t7/feature/guide/gtclivws.html
0

Featured Post

Prepare for an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program curriculum features two internationally recognized certifications from the EC-Council at no additional time or cost.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many of the companies I’ve worked with have embraced cloud solutions due to their desire to “get out of the datacenter business.” The ability to achieve better security and availability, and the speed with which they are able to deploy, is far grea…
Let’s face it: one of the reasons your organization chose a SaaS solution (whether Microsoft Dynamics 365, Netsuite or SAP) is that it is subscription-based. The upkeep is done. Or so you think.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …

971 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question