Multiple Enable Passwords

I have maintenance logging into some switches through RADIUS.  However, for them to clear the arp table or transfer backups to a TFTP they must supply the enable password.  The enable password is level 15 (aka. root)  

What command would I run to assign multiple enable secrets passwords?  The level of security should not allow them to change/view passwords, which level is recommended?

Also, if the maintenance technician is consoled in locally on the switch, they must use the line con 0 password.  How can I have two passwords for the local authentication CONSOLE?

service password-encryption
no service dhcp
!
hostname SWI-03
!
boot-start-marker
boot-end-marker
!
!
no logging console
enable secret 5 $1$IaE9$31DWtrm/3StsIdZa67KIG/
!
username admin privilege 15 secret 5 $1$tB4B$j3zhhetCZtoK0N031w3Z5/
aaa new-model
!
!
aaa group server radius ATMS-RADIUS
 server name DC1
 server name DC2
!
aaa authentication login default group ATMS-RADIUS local-case
aaa authentication login CONSOLE line
!

!
!
!
line con 0
 password 7 12345544004A185428
 login authentication CONSOLE
line vty 0 4
 session-timeout 60
 exec-timeout 60 0
 transport input ssh
 transport output all
line vty 5 15
 session-timeout 60
 exec-timeout 60 0
 transport input ssh
 transport output all

Open in new window

zfishAsked:
Who is Participating?
 
MiftaulConnect With a Mentor Commented:
Privilege level 1 to 14 are custom privilege levels. Privilege 0 is most limited and Privilege 15 has full access to the router. We can create the users accounts in different Privilege levels and assign specific commands associated to those privilege levels. I usually do it like below.

R2(config)#username UserA Privilege 15 secret UserAPassword
R2(config)#username UserB Privilege 0 secret UserBPassword
R2(config)#username UserC Privilege 5 secret UserCPassword
R2(config)#Privilege exec level 5 ssh
R2(config)#Privilege exec level 5 ping

Once Privelege levels are set, we associate that to the Line VTY's and Line Console like below.

R2(config)#line console 0
R2(config-line)#login local
R2(config-line)#exec-timeout 5 0
R2(config-line)#exit

R2(config)#line vty 0 15
R2(config-line)#login local
R2(config-line)#exec-timeout 5 0
R2(config-line)#exit

Now, UserA has full access, UserB is a limited account and UserC is a limited administrator and allowed to run SSH and Ping
0
 
Jan SpringerCommented:
there is but one enable secret password.  you need to assign priv levels to accounts that allow what you are trying to accomplish.
0
 
zfishAuthor Commented:
What would be an example of the command for a prv level that could accomplish backups and clear arp?
0
 
Jan SpringerCommented:
This is an excellent link that defines how to create specific commands for priv levels.  I like their use of priv 5:

https://supportforums.cisco.com/docs/DOC-14710
0
 
Marius GunnerudConnect With a Mentor Senior Systems EngineerCommented:
This is possible when using "parser views".  

Just remember that when the technician logs in he needs to enter the view name in addition to the enable command...for example:

enable view view_name

To enable a view and associate allowed commands with it, issue the following commands the following will allow the user to only issue the show running-configuration command:

parser view view_name

secret PASSWORD
command exec include show running-configuration

http://www.cisco.com/en/US/docs/ios/12_3t/12_3t7/feature/guide/gtclivws.html
0
All Courses

From novice to tech pro — start learning today.