Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

What are these router user accounts privileges ?

Status
Not open for further replies.
ase2dais

ase2dais

Technical User
Dec 21, 2001
58
0
0
US
What are these router user accounts privileges ?

I have set up a user account on a 2500 series and
have set the privilege to 1, the choices are 0-15.

router>en
router#conf t
router(config)#username bob password passwd
router(config)#username bob privilege ?
<0-15> User Privilege level

Where can i find out that these levels mean
 
Sort by date Sort by votes
Hi,

Usually when logging on to a router you get on with privilege level 0. When you enter enable mode, you jump straight up to privilege level 15.

That's what will happen if you're using password only authentication, or if you're using a username/password pair as you have listed above.

That fine for most setups, but say you decide that you always want to go straight to enable mode when you log in as &quot;admin&quot;, you can do that by entering:

router(conf)# username admin priv 15 password admin

If you don't assign a priv number to a user, they get level 0 by default.

So what are all the levels from 1 to 14 for? you ask.
Well, say you know that an ops person need to be able to view the running config, but you don't want ops to have enable passwords. You would create a user like this:

router(config)#username ops priv 7 password ops

and then allow level 7 user to issue the sh run command

router(config)#privilege exec level 7 show running-config

Obviously then you can create a lot of different command sets for different types of user, without giving out full control, by assigning various commands to various privilege levels.

There's other applications for it, like setting up RADIUS users with different privilages, and allowing level X users to go into config mode and change certain things eg snmp community stings, etc.

Hope that help,
Paul.





 
Upvote 0 Downvote
thks paul!

paul >Usually when logging on to a router you get on with privilege level 0. When you enter enable mode, you jump straight up to privilege level 15.

re: >>so i see these as open security levels(1-14) ranges that you later define then.

paul >That's what will happen if you're using password only authentication, or if you're using a username/password pair as you have listed above.

re: >> ok, but these accounts that I have setup, seems useless, coz if they telnet to the router they are immediately prompted with the passwd prompt.(is there a way to see the login 1st, than the passwd prompt?
..if not i can live with that, I'll just chge the privilege mode passwd, to make them login.


You have given me a very useful tool, can you point me to
web reference site, if any.

thks again.

Al





 
Upvote 0 Downvote
Al,

You need to tell the router that a local user database exists and refer to that for login info. You do this by entering the following

router(conf)#line vty 0 4
router(conf)# login local

You should then be prompted for a username/password when you telnet in.
You can do the same for the console port, but I'd advise against it unless your router is in a public area or can be physically accessed. But then you'd have more pressing security issues!!

Paul
 
Upvote 0 Downvote
Paul again thks! it worked. again you mentioned
>> but I'd advise against it unless your router is in a public area or can be physically accessed. But then you'd have more pressing security issues!!

re:>> well isn't there something in the 2600 that enables someone to telnet securely. I currently have a new 2600, and still need to tweak it up. Any thoughts or comments.

re:>> oh btw, after all this, I'll audit the config file.
Have you tried the free router audit tool, that runs a perl script on you router config and provides you different textual reports ?
I'll provide you the link if you'd like.


 
Upvote 0 Downvote
&quot;well isn't there something in the 2600 that enables someone to telnet securely. I currently have a new 2600, and still need to tweak it up. Any thoughts or comments.&quot;
-> You could use SSH. The Tera Term add on is my personal favorite, but one of the other guys here swears by Putty, so try a few to see which suits you. Here's the link:

&quot;oh btw, after all this, I'll audit the config file.
Have you tried the free router audit tool, that runs a perl script on you router config and provides you different textual reports ? &quot;
-> Good plan. I've see RAT and used it once or twice, but I usually end up talking to the client and building very specific ACLs for their site, so I end up hardening the box by hand while I'm there. Thanks for the tip anyway!
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

WinstonCH
  • Locked
  • Helpful tip
What is wrong with the diagram, there are people who will help to fix it? How do i do the configurat
Replies
1
Views
90
BIS
BIS
XLNTech1
  • Locked
  • Question
Cisco Nexus 9k new admin user
Replies
0
Views
145
XLNTech1
XLNTech1
NavinNet
  • Locked
  • Question
Why 2 different mac addresses of a server are being shown of CISCO 6509E Layer-3 Switch ?
Replies
0
Views
43
NavinNet
NavinNet
hairyprogrammer1
  • Locked
  • Question
What is my Speed...?
Replies
1
Views
40
iggsterman
iggsterman
DrB0b
  • Locked
  • Question
Known issues or dangers in purchasing L3 switches that are used
Replies
3
Views
57
CASSBusinessSystems
CASSBusinessSystems

Part and Inventory Search

Sponsor

Back
Top