0

I thought I could get this done by doing the following:

privilege cmd level 6 mode exec command user

But under a user with that priv level the user can only do the following

user newuser

They can't assign a password and priv level.

Maybe there is a better / another way to do this?

evolvd
  • 1,384
  • 6
  • 33
  • 58
  • 1
    Could you explain the reason for wanting this? TACACS+ or RADIUS may be better options. – Adam Jun 16 '11 at 19:23
  • I was trying to think of the fastest way to give a client the ability to do this (to manage vpn users). I found out we have enough time to implement a RADIUS service so that will be the path. – evolvd Jun 16 '11 at 22:50

1 Answers1

0

In exec mode, user expands to user-alert; this isn't what you want.

You're probably looking for something more along these lines:

privilege cmd level 6 mode configure command username

And then possibly some allowances for config-username mode:

privilege cmd level 6 mode username command service-type
privilege cmd level 6 mode username command group-lock
...

But that's worthless as anything other than a thought exercise. If I'm a restricted level 6 user, and I'm allowed to run the username command in configure mode, then I can create myself a level 15 user; it's just a waste of effort to put a completely ineffective restriction in place. Adam's exactly right, TACACS+ should be used for this.

Shane Madden
  • 114,520
  • 13
  • 181
  • 251