Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
389
Views
0
Helpful
2
Replies

Privilege Levels on FWs, switches and Routers

hunnetvl01
Level 1
Level 1

‎06-12-2009 04:30 AM - edited ‎03-09-2019 10:21 PM

One question - I am bothered with the privilege level settings.

Is there a default mapping between a priv lvl and teh commands you are allowed to execute or one needs to define that.

EX: I want somebody to only have the right of executing sh run on a device and nothing more.Can this be done?

Thx,

Vlad

Labels:
0 Helpful
2 Replies 2

nagel
Level 1
Level 1

‎06-12-2009 06:58 AM

I would start by configuring a privilege level and then use the ? to list all the commands available at that level.

privilege level 0 - Includes the disable, enable, exit, help, and logout commands.

privilege level 1 - Normal level on Telnet; includes all user-level commands at the router> prompt.

privilege level 15 - Includes all enable-level commands at the router# prompt.

Commands available at a particular level in a particular router can be found by typing a ? at the router prompt. Commands may be moved between privilege levels by using the privilege command, as illustrated in the example. While this example shows local authentication and authorization, the commands work similarly for TACACS+ or RADIUS authentication and exec authorization (more granularity in control of the router may be achieved with implementation of TACACS+ command authorization with a server.)

Additional details on the users and privilege levels presented in the example:

User six is able to Telnet in and execute the show run command, but the resulting configuration is virtually blank because this user cannot configure anything (configure terminal is at level 8, not at level 6). The user is not permitted to see usernames and passwords of the other users, or to see Simple Network Management Protocol (SNMP) information.

User john is able to Telnet in and execute the show run command, but only sees commands that he can configure (the snmp-server community part of the router configuration, since this user is our network management administrator). He can configure snmp-server community because configure terminal is at level 8 (at or below level 9), and snmp-server community is a level 8 command. The user is not permitted to see usernames and passwords of the other users, but he is trusted with the SNMP configuration.

User inout is able to Telnet in, and, by virtue of being configured for autocommand show running, sees the configuration displayed but is disconnected thereafter.

User poweruser is able to to Telnet in and execute the show run command. This user is at level 15, and is able to see all commands. All commands are at or below level 15; users at this level can also view and control usernames and passwords.

HTH

0 Helpful

Farrukh Haroon
VIP Alumni
VIP Alumni

‎06-12-2009 10:37 PM

The command you mentioned 'show run' is not easy to single out. As the user will only see 'his' privilege level (and lower) commands in the show run output, there are some workarounds available tough, have a look at:

http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a00800949d5.shtml

Regards

Farrukh

0 Helpful
Customers Also Viewed These Support Documents