Multiple Enable Passwords

Posted on 2014-01-27
Last Modified: 2014-06-11
I have maintenance logging into some switches through RADIUS.  However, for them to clear the arp table or transfer backups to a TFTP they must supply the enable password.  The enable password is level 15 (aka. root)  

What command would I run to assign multiple enable secrets passwords?  The level of security should not allow them to change/view passwords, which level is recommended?

Also, if the maintenance technician is consoled in locally on the switch, they must use the line con 0 password.  How can I have two passwords for the local authentication CONSOLE?

service password-encryption
no service dhcp
hostname SWI-03
no logging console
enable secret 5 $1$IaE9$31DWtrm/3StsIdZa67KIG/
username admin privilege 15 secret 5 $1$tB4B$j3zhhetCZtoK0N031w3Z5/
aaa new-model
aaa group server radius ATMS-RADIUS
 server name DC1
 server name DC2
aaa authentication login default group ATMS-RADIUS local-case
aaa authentication login CONSOLE line

line con 0
 password 7 12345544004A185428
 login authentication CONSOLE
line vty 0 4
 session-timeout 60
 exec-timeout 60 0
 transport input ssh
 transport output all
line vty 5 15
 session-timeout 60
 exec-timeout 60 0
 transport input ssh
 transport output all

Open in new window

Question by:zfish
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 29

Expert Comment

by:Jan Springer
ID: 39812655
there is but one enable secret password.  you need to assign priv levels to accounts that allow what you are trying to accomplish.

Author Comment

ID: 39813107
What would be an example of the command for a prv level that could accomplish backups and clear arp?
LVL 29

Expert Comment

by:Jan Springer
ID: 39813164
This is an excellent link that defines how to create specific commands for priv levels.  I like their use of priv 5:
LVL 11

Accepted Solution

Miftaul earned 250 total points
ID: 39815144
Privilege level 1 to 14 are custom privilege levels. Privilege 0 is most limited and Privilege 15 has full access to the router. We can create the users accounts in different Privilege levels and assign specific commands associated to those privilege levels. I usually do it like below.

R2(config)#username UserA Privilege 15 secret UserAPassword
R2(config)#username UserB Privilege 0 secret UserBPassword
R2(config)#username UserC Privilege 5 secret UserCPassword
R2(config)#Privilege exec level 5 ssh
R2(config)#Privilege exec level 5 ping

Once Privelege levels are set, we associate that to the Line VTY's and Line Console like below.

R2(config)#line console 0
R2(config-line)#login local
R2(config-line)#exec-timeout 5 0

R2(config)#line vty 0 15
R2(config-line)#login local
R2(config-line)#exec-timeout 5 0

Now, UserA has full access, UserB is a limited account and UserC is a limited administrator and allowed to run SSH and Ping
LVL 17

Assisted Solution

MAG03 earned 250 total points
ID: 39816228
This is possible when using "parser views".  

Just remember that when the technician logs in he needs to enter the view name in addition to the enable command...for example:

enable view view_name

To enable a view and associate allowed commands with it, issue the following commands the following will allow the user to only issue the show running-configuration command:

parser view view_name

command exec include show running-configuration

Featured Post

Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In the hope of saving someone else's sanity... About a year ago we bought a Cisco 1921 router with two ADSL/VDSL EHWIC cards to load balance local network traffic over the two broadband lines we have, but we couldn't get the routing to work consi…
This article explains the fundamentals of industrial networking which ultimately is the backbone network which is providing communications for process devices like robots and other not so interesting stuff.
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses
Course of the Month10 days, 17 hours left to enroll

631 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question