Don't mess around with privilege level command. Jeff is correct is that
you should build yourself a TACACS server (after all, it is free).
Another thing, Authorization, does it ring a bell? Even with TACACS, one
of the complaint that I've heard about customers is that somehow, if the
router can NOT reach TACACS server, somehow you will have to configure
local authorization (i.e. on the router) for this to work. If the router
can reach TACACS server, authorization on TACACS server can provide very
fine granular control over what a user can/can't do. Download the TACACS
source code from Cisco website and compile it on a UNIX box and you will
have a TACACS server to play with. It is very simple.
>From: "Jeff Chambers" >Reply-To: "Jeff Chambers" >To:
[EMAIL PROTECTED] >Subject: RE: Privilege Level command driving me
nuts!! [7:19158] >Date: Sun, 9 Sep 2001 02:00:50 -0400 > >You can reset a
command to its normal priv level using the format > >privilege exec reset
put_the_entire_command_here > >Configuring privilege levels for commands
on a router can be very >frustrating. It also doesn't scale well in a
medium to large >network. The best production method I have found is to
use TACACS. >You can assign all users privilege level 15 and allow or
deny >commands at the user or group level. In my testing (it has been >9
months or so, this may have changed), the user must be at privilege level
>15 in order to receive valid output from the show running-configuration
>command. It will return a blank configuration if the user is not >at
privilege level 15. > >Jeff. > >-----Original Message----- >From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of >Cisco
Nuts >Sent: Sunday, September 09, 2001 12:59 AM >To: [EMAIL PROTECTED]
>Subject: Privilege Level command driving me nuts!! [7:19158] > > >Hi,I
am trying to configure privilege exec level commands on my router >but am
going nuts at the output of these commands:Basically, here is what >I
have configured:#enable secret level 3 cisco! #privilege exec level 3
>ping#privilege exec level 3 traceroute#privilege exec level 3 show ip
>route#privilege exec level 3 show startup-configuration#privilege exex
>level 3 show running-configuration!# When I do a log in using enable
>secret level 3, I can get the output of the #sh star command but not of
>the #sh ru command?Also, when I do a sh ru on the router using regular
>privilege level(15), I see 2 additional commands automatically
configured >for me:#privilege exec level 1 show#privilege exec level 1
show ip It >will NOT let me remove these 2 commands nor will it let me
change this to >privilege level 3.Nor will it let me remove any
individual commands!!What's >going on? Any ideas? Thank you for your
help.Kind regards.Nuts!! >
>------------------------------------------------------------------------
> >Get your FREE download of MSN Explorer at http://explorer.msn.com > >
misconduct and Nondisclosure violations to [EMAIL PROTECTED]
------------------------------------------------------------------------
Get your FREE download of MSN Explorer at http://explorer.msn.com
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=19179&t=19158
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
