Privilege Levels on FWs, switches and Routers

Unanswered Question
Jun 12th, 2009
User Badges:

One question - I am bothered with the privilege level settings.

Is there a default mapping between a priv lvl and teh commands you are allowed to execute or one needs to define that.

EX: I want somebody to only have the right of executing sh run on a device and nothing more.Can this be done?



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
nagel Fri, 06/12/2009 - 06:58
User Badges:

I would start by configuring a privilege level and then use the ? to list all the commands available at that level.

privilege level 0 - Includes the disable, enable, exit, help, and logout commands.

privilege level 1 - Normal level on Telnet; includes all user-level commands at the router> prompt.

privilege level 15 - Includes all enable-level commands at the router# prompt.

Commands available at a particular level in a particular router can be found by typing a ? at the router prompt. Commands may be moved between privilege levels by using the privilege command, as illustrated in the example. While this example shows local authentication and authorization, the commands work similarly for TACACS+ or RADIUS authentication and exec authorization (more granularity in control of the router may be achieved with implementation of TACACS+ command authorization with a server.)

Additional details on the users and privilege levels presented in the example:

User six is able to Telnet in and execute the show run command, but the resulting configuration is virtually blank because this user cannot configure anything (configure terminal is at level 8, not at level 6). The user is not permitted to see usernames and passwords of the other users, or to see Simple Network Management Protocol (SNMP) information.

User john is able to Telnet in and execute the show run command, but only sees commands that he can configure (the snmp-server community part of the router configuration, since this user is our network management administrator). He can configure snmp-server community because configure terminal is at level 8 (at or below level 9), and snmp-server community is a level 8 command. The user is not permitted to see usernames and passwords of the other users, but he is trusted with the SNMP configuration.

User inout is able to Telnet in, and, by virtue of being configured for autocommand show running, sees the configuration displayed but is disconnected thereafter.

User poweruser is able to to Telnet in and execute the show run command. This user is at level 15, and is able to see all commands. All commands are at or below level 15; users at this level can also view and control usernames and passwords.



This Discussion