Based on your comments, the default sl_def_acl
ACL didn't load into your configuration, for whatever reason. The behavior for the login-block
feature is to use a quiet mode after certain parameters have been violated. In your case, after 3 failed attempts within 60 seconds will apply a quiet period ACL for 120 seconds. If you haven't explicitly defined a quiet mode, it will default to the below ACL.
Router#show access-lists sl_def_acl
Extended IP access list sl_def_acl
10 deny tcp any any eq telnet
20 deny tcp any any eq www
30 deny tcp any any eq 22
40 permit ip any any
Default sl_def_acl
ACL sample curtesy of Cisco IOS Login Enhancements (Login Block).
Manually defining your own ACL for these parameters is ideal.
login quiet-mode access-class {acl-name | acl-number}
If you want additional information on how this function works, pop on over to the Cisco Documentation that covers this for more detail.
You already know the majority of the answer to your own question - you need to configure commands the user can run at a specific privilege level. enable
without a privilege level argument defaults to privilege level 15, which has permissions to run all commands. The two things you need to do are:
Change the default enable password so the user doesn't have access to it anymore and therefore can't get to privilege level 15.
Set the user's default privilege level at login to the same privilege level that you've changed the desired commands the user can run at:
Router(config)#username joe privilege <x> password foobar
where X is the privilege level for your desired command set.
EDIT: I should point out that this doesn't actually provide true user based command authorization, it only provides privilege level based authorization, because the commands themselves are only bound to one privilege level at a time, so it's effectively a router-wide change. It's intended to work in a hierarchical fashion; each privilege level can run the commands at that level as well as all levels below it. If you want true user based authorization, you need an AAA server of some kind (see my note below).
You could technically also change the privilege level of the enable
command to be one higher than the user's privilege level so they don't even have the option of running it:
Router(config)#privilege exec level <x> enable
This of course assumes that you don't want the user to be able to run any configuration commands.
Another option is to make sure that when the user logs in and types enable
they need to specify their privilege level rather than no privilege level, which defaults to 15.
Router>enable <x>
Obviously you can specify enable passwords for all 16 privilege levels if you so desire.
My final point is that without an external AAA server, all of this is a giant pain in the ass. There are a multitude of open source TACACS+ implementations available that only have a cost of initial setup, but they make doing stuff like this somewhat trivial, and it's centralized, so if you have multiple routers you don't have to keep repeating the same command privilege jumprope on every device you manage. This is why AAA servers exist in the first place, so your requirement that you don't want to use one doesn't make a lot of sense.
Best Answer
You can't do that, but you can configure the router so it prompts for name/password at login, and based on the user's privilege, they will be in enable mode or not. So instead of a two-step login, they login once and are put in the proper mode.
When jong-mee logs in, she gets prompted for her password, and immediately goes into enable mode. But when Farouk logs in, he is only in user mode.
Make the enable secret long and complicated so it can't be guessed. You won't have to use it anymore.