Level 14 Privilege Level

Discussion in 'Cisco' started by Fred Atkinson, Feb 22, 2007.

  1. Folks,

    I want to create a username/password with a privilege level of
    14. Creating it is easy enough. It just takes the syntax of
    'username cisco privilege 14 password cisco'.

    The issue is that I want level 14 to be able to do [almost]
    anything that the level 15 password can do *except*
    add/remove/delete/change passwords. At some future point, I might
    want to restrict some other commands but which other ones are yet to
    be determined.

    I'm not really sure how to go about doing that. Does anyone
    have any feedback on this? Syntax for the commands would be great if
    you know it.

    The level 14 password is what I want to give to the Smartnet
    people when I request help on my Smartnet contract.

    Can any of you make any suggestions?

    Regards,



    Fred
     
    Fred Atkinson, Feb 22, 2007
    #1
    1. Advertisements

  2. Fred Atkinson

    Trendkill Guest

    Been awhile since I messed with these commands, but I think you want
    to change the level of the commands instead of making exceptions to
    the levels. In short, and I'm going completely off of a half-memory
    here, but you can use the <privilege exec level 15 <LINE> to set
    commands to privilege level 15. Add in the command lines that you
    only want used by level 15's, and I'm thinking that should do what you
    want. Here is a Cisco doc on the subject:

    http://www.cisco.com/univercd/cc/td...2cgcr/fsecur_c/fothersf/scfpass.htm#wp1001368

    Just make sure you don't lock yourself out of a command in case you
    accidentally set a root command to 15 (by having a level 15 account
    handy). Pay close attention to this section:

    Disabling a Privilege Level Example

    In the following example, the show ip route command is set to
    privilege level 15. To keep all show ip and show commands from also
    being set to privilege level 15, these commands are specified to be
    privilege level 1.

    privilege exec level 15 show ip route

    privilege exec level 1 show ip

    privilege exec level 1 show
     
    Trendkill, Feb 22, 2007
    #2
    1. Advertisements

  3. Thanks for your help.



    Fred
     
    Fred Atkinson, Feb 23, 2007
    #3
  4. I think that the solution to this problem is in setting both
    the username and enable password commands to level 15 only.

    Any feedback?




    Fred
     
    Fred Atkinson, Feb 23, 2007
    #4
  5. Fred Atkinson

    Trendkill Guest

    If you are trying to lockdown account creation as well as password
    changing...I would concur. Just create a level 14 and test once you
    make the changes............

    Only problem here is then 14s will still be 14s...so any '15' commands
    that you want them to have access to, you may need to 'lower' to 14.

    One other note, if you have TACACs (ACS as its commonly referred),
    then you can do this via authorization on that, and itll be enterprise
    so long as you do it by groups, etc.
     
    Trendkill, Feb 23, 2007
    #5
  6. I tried entering '(config)#privilege username' but there is no
    username option listed when I type 'privilege ?'.

    Now I'm not sure how to do this.

    Regards,


    Fred
     
    Fred Atkinson, Feb 24, 2007
    #6
  7. Fred Atkinson

    Trendkill Guest

    I thought you were trying to do something like:

    privilege exec level 15 username

    Did you try that? See my post from earlier with the cisco link, it
    should have syntax, etc. Good luck.
     
    Trendkill, Feb 24, 2007
    #7
  8. I tried that. It says it doesn't know any command 'username'.
    Hmmm.



    Fred
     
    Fred Atkinson, Feb 25, 2007
    #8
  9. Fred Atkinson

    Trendkill Guest

    I apologize for not catching this.....

    The username command is considered configuration and not execute.
    Therefore, the syntax is:

    privilege configure level 15 username

    Let me know how you fair.
     
    Trendkill, Feb 25, 2007
    #9
  10. I executed that command at global configuration mode. Then I
    logged in under the level 14 password, I couldn't get into global
    configuration mode.

    All I wanted to do was stop level 14 from creating/altering/
    deleting passwords. It should have access to everything else.

    Regards,



    Fred
     
    Fred Atkinson, Feb 26, 2007
    #10
  11. Fred Atkinson

    Trendkill Guest

    Based on what I am reading, your problem is that level 14 is not
    defined with any access. By default, only levels 1 and 15 are setup,
    and 2-14 are reserved for you to setup the access you want these users
    to have. I apparently was incorrect in thinking that they were
    already setup, and therefore you would need to add all the commands
    that you want to allow to level 14, and do not include username. I
    have always utilized TACACs and handle all my authorizations through
    that, so I apologize for misleading you. The link below is a good
    read.

    http://www.cisco.com/univercd/cc/td.../ios122/122cgcr/fsecur_c/fothersf/scfpass.htm
     
    Trendkill, Feb 26, 2007
    #11
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.