Yes, you can do all of these:
1) To restrict access to the console you may set up a password. This
password will appear encrypted on the configuration if you use the command
"service password-encryption" on global config mode. But note that it is not
a strong password (it may be broken by some utilities easily found on the
Internet) and it's encrypted only on the config: on the console port it
passes in clear text when you type it.
2) To prevent some people from using some commands, you may setup different
usernames and passwords for them, instead of using only one password for
all. Then you may setup access levels and personalize them as you want. An
example follows:
service password-encryption
enable secret 5 $1$b1c/$92VTP65ehu8CHkcitiW4NBW.
no enable password
username abc privilege 5 password xyz
username omer privilege 10 password 123
privilege exec level 10 enable
privilege exec level 5 show configuration
privilege exec level 5 show
line con 0
login local
line aux 0
login local
line vty 0 4
login local
In this example, only the user "omer" will be able to enter privileged exec
mode, which is required to issue any copy command. User "abc" will be able
to issue all non-privileged commands, plus the command "show configuration"
which is the same as "show startup-config". Note that you must change the
"password xvz" on the CON, AUX and VTY lines for "login local" to ensure
that users will be authenticated by the rules you create. You must also use
an "enable secret" and never an "enable password". The "enable password"
doesn't use strong encryption and the user would be able to discover it even
if it was encrypted by the "service password-encryption". I applied a
configuration like this on a network where user "abc" should be able to
audit router's configuration but with no right to change it.
There's one last thing that you must keep in mind: anyone with physical
access to the box and a medium knowledge about Cisco routers will be able to
do a "password recover" and change everything you do!
Hope this helps!
Regards
Ednilson Rosa
----- Original Message -----
From: "Omer Ehsan Dar"
To:
Sent: Sunday, August 26, 2001 4:18 AM
Subject: console access to 2500 [7:17302]
Hi all,
Can you restrict console access to the router? Does it accept an
encrypted password. Also can you prevent in some way people from using
the copy run start command so that they cannot update the router config.
Thanks
Omer
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=17315&t=17302
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
