Tuesday, April 28, 2015

Privilege Levels in Cisco IOS

A useful management tool available in IOS is the one that gives you the ability to assign levels of
privilege. Privilege levels are assigned to both users and commands. The privilege levels range
from 0 to 15. By default, commands are assigned either level 1 or level 15. Those commands that
need to be executed in privileged EXEC mode are level 15 commands. With a few exceptions,
those commands that can be executed in user EXEC mode are level 1 command. A small number
of commands are level 0 commands. These commands include enabledisableexitlogout, and
help. Level 0 commands can be executed at any level.

A user operating in privileged EXEC mode is a level 15 user. A user operating in user EXEC
mode is a level 1 user. Commands and users can be assigned a privilege level different from their
default. The way the privileges work is a higher level has the same rights as the lower levels
beneath it. For instance, a level 10 user (if you set one up) can do everything users at levels 9
through 0 can do. Level 15 users can execute all commands.

Commands can be reassigned a different level of privilege as well. You can raise or lower the
level of privilege on any command. Privilege levels on commands are assigned using the
Privilege command; the command syntax is as follows. Use global configuration mode for this
command.

    privilege level <0 – 15> 

This feature is quite useful as it allows us to create various levels of users with custom rights to
IOS commands. Imagine if you had a number of administrators with limited knowledge of the
workings of IOS. But you need their help with certain specific tasks such as shutting down and
re-enabling an interface or adding users to an access server. You can configure the router or
access server so that depending upon the password provided, the user will be assigned a specific
level of privilege and will only be allowed to use commands assigned to that level and below.

Privilege levels for users can be set in a number of ways via the IOS. They can be set
permanently on a line using the privilege level command; at the command prompt using the
enable command; or when logging in using the username command.

To set the default privilege level for a line, use the privilege level command in line configuration
mode. The syntax is as follows: privilege level <0 – 15>.

To interactively reset the level of privilege from the command line, use the enable command.
The command syntax is enable <0 – 15>. The command can be executed in any EXEC mode. If
you leave off the level number, the router assumes you mean 15. It is advisable to set up an
“enable secret” password for each level of privilege. Be sure each level’s password is different
and that the passwords are only known to users within the appropriate level. The syntax for this
command is enable secret level <1-15> .

The most common way to assign levels of privilege is to do so based on the user’s username.
The IOS allows you to create and use username/password pairs in your router configuration for
authentication purposes. Along with the authentication process, the user can be assigned as level
of privilege.

Examples:

In the example below, we have created three custom user levels using level numbers 2, 3, and 4.
Level 2 users can do show commands as well as all commands in levels below. By default, level
1 users can do most show commands. But after issuing the command privilege exec level 2
show in our configuration, it will no longer be possible. Level 3 users are permitted to issue the
command show ip route, but level 2 users cannot. Level 4 and above users can issue the show
access-list command as well as any command in levels below.

    Router(config)# privilege exec level 2 show
    Router(config)# privilege exec level 3 show ip route
    Router(config)# privilege exec level 4 show access-list

The example below shows us assigning level 2 to any user that enters the router via telnet. It
assigns level 3 to any user that enters via the auxiliary port. And it assigns level 4 to anyone that
enters via the console port.

    Router(config)# line vty 0 4
    Router(config-line)# privilege level 2
    Router(config-line)# line aux 0
    Router(config-line)# privilege level 3
    Router(config-line)# line console 0
    Router(config-line)# privilege level 4

The example below creates a separate password for each custom level of privilege. If a user
issues the command enable 2, that user will be prompted for the password “twopass”. A level
three request will require the level three password and so on.

    Router(config)# enable secret level 2 twopass
    Router(config)# enable secret level 3 threepass
    Router(config)# enable secret level 4 fourpass

The example below creates three users: bob, fred, and sam. Bos is a level 2 user. Fred is a level 3
user. Sam is a level 4 user. To have the router prompt for username and password when logging
in, use the command login local in your line configuration mode.

    Router(config)# username bob privilege 2 password bobpass
    Router(config)# username fred privilege 3 password fredpass
    Router(config)# username sam privilege 4 password sampass
    Router(config)# line vty 0 4
    Router(config-line)# login local
source - http://networkingtips-tricks.blogspot.com/2010/04/privilege-levels-in-cisco-ios.html

4 comments:

  1. Excellent post. I want to thank you for this informative read, I really appreciate sharing this great post. Keep up your work.
    123movies

    ReplyDelete
  2. At this point in my writing career, I simply want to get more visibility for your writing and I will write for free as long as you are okay with me adding a small author bio section next to each blog post about myself.Facebook Video Downloader

    ReplyDelete
  3. There are many forms of information technology like computers, sensors, robots and decision support systems. The newest one being used in the market today are handhelds to help managers and subordinates to support their daily operations in the office. Big Data Training London

    ReplyDelete
  4. Phenomenal post. I need to thank you for this enlightening read, I truly value sharing this extraordinary post. Keep up your work...Cooking Madness

    ReplyDelete

Where Do I Start With SASE Evaluations?

Gartner® Report: Where Do I Start With SASE Evaluations? Where to start with SASE Secure access service edge (SASE) is revolutionizing the w...