Privilege command for Cisco IOS CAT 3750/3560/3550

Recently, I showed you how to enable radius authentication using Microsoft Server 2003 IAS. Today I will show you how to control access to the switch and show logs of changes by user associated with the users name. Authorization and Accounting is important especially if you have multiple users do changes on your network switches. Instead of playing the guessing game of who made the boo boo in your network, you can actually pin point and show them all the commands they have entered before the issue. Not only that you can pin point who did it, you can also go back and undo the changes since you know what was done. This can also be done using a Cisco ACS server but if you don't have it in place, this is the cheap way to do it.

Below is the command sample for privilege commands.

enable secret level 2 poweruser -> Creates enable password "poweruser" as the enable 2 password
privilege exec level 2 config t -> Allows the use of "config t" for level 2 user
privilege exec level 2 show run -> Allows the use of "show run" for level 2 user
privilege exec level 2 write mem -> Allows the use of "write mem" for level 2 user saving changes
privilege configure level 2 interface -> Allows the use of "interface command" for level 2 user in config mode
privilege interface level 2 description -> Allows the use of "description command" for level 2 user in config mode

The commands below allows the user to change speed and duplex of an interface in config mode
privilege interface level 2 speed 10
privilege interface level 2 speed 100
privilege interface level 2 speed auto
privilege interface level 2 duplex half
privilege interface level 2 duplex full
privilege interface level 2 duplex auto

The commands below allows the user to change VLANs of an interface in config mode
privilege interface level 2 switchport access vlan

The command below allows the user to shutdown an interface in config mode
privilege interface level 2 shutdown

The commands below allows the user to set the portfast to an interface in config mode
privilege interface level 2 spanning-tree portfast

You can pretty much add the commands that you would like them to be able to access.

All we did was to create another enable password level 2. So when you login to the switch instead of using just enable, you will type " enable 2" and the password will be "poweruser"


After you enable the privilege commands you can also enable Archive this will allow you to see changes made on the switch by a user.

archive
log config
logging enable
logging size 200
notify syslog contenttype plaintext
hidekeys

- To show the arcvhive list
show archive log config all

- To clear the archive list
clear archive log config



Now let check the configuration

rbautista_adm know the regular enable password and rbautista only knows the enable 2 password

Below I can change the hostname since I have the access to everything.




Below rbautista logs in using enable 2 password

The user that uses enable 2 password cannot change the hostname of the switch because hostname command is not listed on his access.


He also have no access to show archive. Now lets login using the regular enable with rbautista_adm.



As you can see the changes I made was listed above. You can also clear the archive logs if it gets full. We set it up to have 200 queue length default is 100 maximum queue length is 1000.

Note: Don't get confuse with rbautista_adm and rbautista. I can log in as rbautista_adm but if I use the enable 2 password I still have only access to commands we made available.