Configuring privilege levels on Cisco switch
Configuring privilege levels on Cisco switch
We can configure different command access based on priviledge level of user logged in. Hence, the commands available would depend entirely on username / password supplied to switch during login.
Creating users
First we have to create user with some privilege level between 0 and 15 (both inclusive). Level 15 always has full control. So it is better to create limited access user from privilege level 3 onwards. To create user with privilege level 3 use syntax in configure terminal mode
username <username> privilege 3 password 0 <plain text password>
Defining which commands are allowed
Then in 'configure terminal' mode we can specify which exec mode commands should be allowed to users with privilege level 3 using syntax `privilege exec level 3 <command>'.
For example:
privilege exec level 3 traceroute privilege exec level 3 ping
If you want to allow the user with privilege level 3 to change hostname then you need to enter following lines in 'configure terminal' mode
privilege exec level 3 configure terminal privilege configure level 3 hostname
Enabling local login
In order to allow users to login using this method you must configure local login for some vty lines. That is you should configure
line vty 0 15 login local
Using 'aaa new-model' wont work. With 'aaa new-model' users will be able to login using the configured username and password but they would have to type 'en' and then enable password to be able to run exec commands. Now since we cannot configure per user enable commands we must use 'login local' for vty due to which after login users are automatically in enable mode and there is no need to type 'en' command separately.