Re: IOS privileges for helpdesk posted 11/03/2008
Is this for production or for lab purposes? If production your best
option is to use tacacs for per command auth. Otherwise either use an
ios menu to limit what they can show, or assign them privilege 0 and
move commands down instead of up. If you look at the "show parser
dump" you'll see that privilege 1 has basically all show commands
except show run, which may not be what you want.
Brian McGahan, CCIE #8593 (R&S/SP/Security)
Internetwork Expert, Inc.
On Nov 3, 2008, at 8:37 PM, "darth router" <darklordrouter@xxxxxxxxx>
> thank you also
> On Mon, Nov 3, 2008 at 4:58 PM, Brian McGahan <bmcgahan@xxxxxxxxxxxxxxxxxxxxxx
> > wrote:
> You need to add "aaa authorization exec default local" to authorize
> the user to privilege 2. When AAA is off, exec authorization
> defaults to local already, but when AAA is on you need to manually
> specify it.
> Brian McGahan, CCIE #8593 (R&S/SP/Security)
> Internetwork Expert, Inc.
> Toll Free: 877-224-8987 x 705
> Outside US: 775-826-4344 x 705
> Online Community: http://www.IEOC.com
> CCIE Blog: http://blog.internetworkexpert.com
> darth router wrote:
>> Few questions on this.
>> 1. with the below config, can I get this to work somehow ? I do not
>> want to
>> get rid of the enable pass. It will not work with the current config.
>> 2. is there a way to have more than 1 enable pass with a diff priv
>> level set
>> for helpdesk (haven't been able to get this to work)
>> 3. Is there a way to clear all commands from a privilege level,
>> ping, etc...? I can see in the doc CD how to add, but not remove
>> aaa authentication login default local line
>> aaa authentication enable default enable
>> enable secret cisco
>> username admin password cisco
>> username helpdesk priviledge 2
>> Blogs and organic groups at http://www.ccie.net
>> Subscription information may be found at: