Limited Access

Answered Question
Aug 17th, 2010
User Badges:

Him,


i am configuring a username and password for one of our trainee and i want to provide him with access level to clear port security only " means i dont want him to access the config mode"

which privilege level should i provid him

Correct Answer by vinodjad1234 about 6 years 11 months ago

Hi,


If I am right , below information will be helpful for you... if you have any further query , please let me know ..........




Specifically, Cisco IOS routers support privilege levels in the range 0  to 15. By default, when you attach to a router, you are in user mode, which has a privilege level of 0. After entering the enable command and providing appropriate credentials, you are moved to privileged mode, which has a privilege level of 15.

However, for a finer granularity of administrative privileges, you  can configure privilege levels in the range 1 to 14 using the privilege mode {level level command | reset command} command in global configuration mode. reset is  used to reset the privilege level of a command to its original  privilege level. To illustrate, Example 3-10 shows how to configure the debug command to be a privilege level 5 command and how to set the enable secret password for level 5 administrative access.

Example 3-10 Configuring a Privilege Level
R1# config term
R1(config)# privilege exec level 5 debug
R1(config)# enable secret level 5 L3v3l5P ((Content component not found.))
R1(config)# end

After additional privilege levels are configured, an administrator  can specify the privilege level she wants to change to using the enable  level command. For example, for an administrator to switch to the  previously configured privilege level of 5, she would enter the enable 5  command. After switching to a privilege level of 5, the administrator  would have access to all commands associated not only with privilege  level 5, but also all lower privilege levels.

Creating command-line interface views

Similar to making different commands available to different  administrators using privilege levels, role-based command-line interface  (CLI) views can be used to provide different sets of configuration  information to different administrators. However, unlike making commands  available via privilege levels, using role-based CLI views you can  control exactly what commands an administrator has access to. Following  are the steps required to configure these views:

Step 1 Enable AAA: Authentication, authorization, and  accounting (AAA) is discussed in detail in Chapter 4, "Configuring AAA."  For now, just realize that AAA must be enabled to support views.  Example 3-11 shows how to enable AAA on an IOS router.

Example 3-11 Enabling AAA
R1# conf term
R1(config)# aaa new-model
R1(config)# end

Step 2 Enable the root view: The root view is represented by  the set of commands available to an administrator logged in with a  pri'vilege level of 15. You might be required to provide the enable  secret password to enable the root view, as shown in Example 3-12.

Example 3-12 Enabling the Root View
R1# enable view
Password:
R1#

Step 3 Create a view: Use the parser view name command to create a new view, as shown in Example 3-13.

Example 3-13 Creating a View
R1# config term
R1(config)# parser view HELPDESK
R1(config-view)#

Step 4 Set a password for the view: Use the secret 0 password  command to set the password required to invoke the view. The 0 in the  command indicates that the password provided is in plain text, as  opposed to an MD5 hash value. Example 3-14 shows how to configure a  view's password.

Example 3-14 Setting a Password for a View
R1(config-view)# secret 0 H3lpD3skP ((Content component not found.))
R1(config-view)#

Step 5 Add available commands to the view: The commands parser_mode
{include | include-exclusive | exclude} [all] [interface interface_identifier | command] command, issued in view configuration mode, allows an administrator to specify a command (or interface) available to a particular view. Example 3-15 shows how to specify that the copy command (followed by any keywords), the traceroute command, and the ping command will be available to a specific view (HELPDESK in this example).

Example 3-15 Specifying Commands Available to a View
R1(config-view)# commands exec include all copy
R1(config-view)# commands exec include traceroute
R1(config-view)# commands exec include ping

Step 6 Verify the role-based CLI view configuration: After creating a view, you can switch to that view with the enable view name command. After switching to the new view, you enter a ?, for context-sensitive help, to see what commands are available in your new view, as demonstrated in Example 3-16.

Example 3-16 Confirming Role-Based CLI Configuration
R1# enable view HELPDESK
Password:
R1#?
Exec commands:
<1-99> Session number to resume
copy Copy from one file to another
enable Turn on privileged commands
exit Exit from the EXEC
ping Send echo messages
show Show running system information
traceroute Trace route to destination

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
vinodjad1234 Tue, 08/17/2010 - 04:31
User Badges:

Hi,


If I am right , below information will be helpful for you... if you have any further query , please let me know ..........




Specifically, Cisco IOS routers support privilege levels in the range 0  to 15. By default, when you attach to a router, you are in user mode, which has a privilege level of 0. After entering the enable command and providing appropriate credentials, you are moved to privileged mode, which has a privilege level of 15.

However, for a finer granularity of administrative privileges, you  can configure privilege levels in the range 1 to 14 using the privilege mode {level level command | reset command} command in global configuration mode. reset is  used to reset the privilege level of a command to its original  privilege level. To illustrate, Example 3-10 shows how to configure the debug command to be a privilege level 5 command and how to set the enable secret password for level 5 administrative access.

Example 3-10 Configuring a Privilege Level
R1# config term
R1(config)# privilege exec level 5 debug
R1(config)# enable secret level 5 L3v3l5P ((Content component not found.))
R1(config)# end

After additional privilege levels are configured, an administrator  can specify the privilege level she wants to change to using the enable  level command. For example, for an administrator to switch to the  previously configured privilege level of 5, she would enter the enable 5  command. After switching to a privilege level of 5, the administrator  would have access to all commands associated not only with privilege  level 5, but also all lower privilege levels.

Creating command-line interface views

Similar to making different commands available to different  administrators using privilege levels, role-based command-line interface  (CLI) views can be used to provide different sets of configuration  information to different administrators. However, unlike making commands  available via privilege levels, using role-based CLI views you can  control exactly what commands an administrator has access to. Following  are the steps required to configure these views:

Step 1 Enable AAA: Authentication, authorization, and  accounting (AAA) is discussed in detail in Chapter 4, "Configuring AAA."  For now, just realize that AAA must be enabled to support views.  Example 3-11 shows how to enable AAA on an IOS router.

Example 3-11 Enabling AAA
R1# conf term
R1(config)# aaa new-model
R1(config)# end

Step 2 Enable the root view: The root view is represented by  the set of commands available to an administrator logged in with a  pri'vilege level of 15. You might be required to provide the enable  secret password to enable the root view, as shown in Example 3-12.

Example 3-12 Enabling the Root View
R1# enable view
Password:
R1#

Step 3 Create a view: Use the parser view name command to create a new view, as shown in Example 3-13.

Example 3-13 Creating a View
R1# config term
R1(config)# parser view HELPDESK
R1(config-view)#

Step 4 Set a password for the view: Use the secret 0 password  command to set the password required to invoke the view. The 0 in the  command indicates that the password provided is in plain text, as  opposed to an MD5 hash value. Example 3-14 shows how to configure a  view's password.

Example 3-14 Setting a Password for a View
R1(config-view)# secret 0 H3lpD3skP ((Content component not found.))
R1(config-view)#

Step 5 Add available commands to the view: The commands parser_mode
{include | include-exclusive | exclude} [all] [interface interface_identifier | command] command, issued in view configuration mode, allows an administrator to specify a command (or interface) available to a particular view. Example 3-15 shows how to specify that the copy command (followed by any keywords), the traceroute command, and the ping command will be available to a specific view (HELPDESK in this example).

Example 3-15 Specifying Commands Available to a View
R1(config-view)# commands exec include all copy
R1(config-view)# commands exec include traceroute
R1(config-view)# commands exec include ping

Step 6 Verify the role-based CLI view configuration: After creating a view, you can switch to that view with the enable view name command. After switching to the new view, you enter a ?, for context-sensitive help, to see what commands are available in your new view, as demonstrated in Example 3-16.

Example 3-16 Confirming Role-Based CLI Configuration
R1# enable view HELPDESK
Password:
R1#?
Exec commands:
<1-99> Session number to resume
copy Copy from one file to another
enable Turn on privileged commands
exit Exit from the EXEC
ping Send echo messages
show Show running system information
traceroute Trace route to destination

Actions

This Discussion

Related Content