what is the purpose of assigning different privilege levels ?

Unanswered Question
Dec 13th, 2007

Dear All,

what is the purpose of assigning different privilege levels ?

privilege exec level 2 show ip

privilege exec level 2 show start

privilege exec level 2 term mon

privilege exec level 10 configure terminal

privilege exec level 10 traceroute

privilege exec level 10 ping

and

how to assign different privilege levels

thanks,

rageurdreams.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
Loading.
shiva_ial Thu, 12/13/2007 - 02:55

When it comes to the different privilege levels in the Cisco IOS,

the higher your privilege level, the more router access you have.

most Cisco routers are familiar with only two privilege levels:

User EXEC mode-privilege level 1

Privileged EXEC mode-privilege level 15

When you log in to a Cisco router under the default configuration,

you're in user EXEC mode (level 1). From this mode,

you have access to some information about the router,

such as the status of interfaces, and you can view routes in the routing table.

However, you can't make any changes or view the running configuration file.

By default, typing enable takes you to level 15, privileged EXEC mode. you have full access to the router.

this command configures users, it can also tell the IOS which privilege level the user will have when logging in.

Here's an example:

router(config)# username test password test privilege 3

rageurdreams Thu, 12/13/2007 - 03:02

thanks for quick reply.

privilege exec level 2 show ip

privilege exec level 2 show start

privilege exec level 2 term mon

privilege exec level 10 configure terminal

privilege exec level 10 traceroute

privilege exec level 10 ping

from the above config, i understood that with this privilege level, we can access particular ( bold) commands only.

If it is so, please tell me how to configure that.

thanks

mohammedmahmoud Thu, 12/13/2007 - 03:12

Hi Rageurdreams,

Here you are a summarization for the privilege level issue:

By default, there are three command levels on the router:

privilege level 0 - Includes the disable, enable, exit, help, and logout commands.

privilege level 1 (User EXEC mode - disable mode)- Normal level on Telnet; includes all user-level commands at the router> prompt.

privilege level 15 (Privilege EXEC mode - enable mode) - Includes all enable-level commands at the router# prompt.

NOTE Both level 0 and 1 have a ">" prompt, while any higher privilege (2-15) will have a "#" - even if privilege 0 and 1 are assigned extra higher level commands their prompt still ">" and never "#", even if given configuration privilege, for example: "Rack1R1(config)>".

However, you can configure additional levels of access to commands (User defined privilege levels: 2 - 14 ), called privilege levels, to meet the needs of your users while protecting the system from unauthorized access. Up to 16 privilege levels can be configured, from level 0, which is the most restricted level, to level 15, which is the least restricted level.

Accordingly for example level 10 is a custom level, you have to define allowed commands for that level either via the privilege command or via the TACACS+ server (Authorization).

Higher level inherits the lower level commands by default - even the custom levels.

According to the last couple of statements, if we create a level 5, without adding any command to this level via the privilege command > it will inherit all the level 1 commands, until we add more commands to this level via the privilege command.

We can pull down some level 15 commands down to the user defined customer privilege levels using the privilege {exec | configuration} [all] level x {} command - all = all suboptions.

We then can assign the privilege per user, using the username <> privilege x password <> command.

For more details please check this document:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cg/hsec_c/part30/05ch/secpriv.htm

HTH,

Mohammed Mahmoud.

hobbe Thu, 12/13/2007 - 04:36

ok here is the deal.

Privilege is for different accounts to have different rights.

fx you might want the junior staff to have the rights to logon to the router and do some basic things but not other things.

Then you have an account for the junior staff and one admin account.

FX you have an account for person X to be able to add users in the local database but you do not want them to be able to reconfigure the VPN tunnel settings.

example to set priv on a user in the local database

username ABC123 privilege 4 password ABC123

Actions

This Discussion