Configuring Privilege levels in Cisco IOS

Document

Jan 17, 2011 11:09 PM
Jan 17th, 2011
/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin-top:0in; mso-para-margin-right:0in; mso-para-margin-bottom:10.0pt; mso-para-margin-left:0in; line-height:115%; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin;}

It is possible to change the privilege level of “show run” and assign it to something other than level 15. You can change the privilege level but you are likely to be surprised at the result when you do. A person executing “show run” can only see things that they have the ability to change. So someone executing the command at privilege level 8 would not have the ability to change anything and basically would see only an empty configuration.

Refer the document IOS Privilege Levels Cannot See Complete Running Configuration for more information.

The default configuration for Cisco IOS based networking devices uses privilege level 1 for user EXEC mode and privilege level 15 for privileged EXEC. The commands that can be run in user EXEC mode at privilege level 1 are a subset of the commands that can be run in privileged EXEC mode at privilege 15.

In Cisco IOS, the higher your privilege level, the more router access you have. When you log in to a Cisco router under the default configuration, you're in user EXEC mode (level 1). From this mode, you have access to some information about the router, such as the status of interfaces, and you can view routes in the routing table. However, you can't make any changes or view the running configuration file.

It is not sufficient to assign the show running-config command into a particular privilege level, rather if a person should be eligible to see a particular section of the configuration file; the particular commands must also be included in the respective privilege level.

So for example, consider the following set of privileges:

privilege interface level 5 shutdown

privilege interface level 5 ip address

privilege interface level 5 ip

privilege interface level 5 bandwidth

privilege configure level 5 interface

privilege exec level 5 show running-config

privilege exec level 5 show

The command show running-config will now display:

Current configuration : 425 bytes

!

boot-start-marker

boot-end-marker

!

!

!

!

!

interface Loopback0

ip address 10.255.255.1 255.255.255.255

!

interface FastEthernet0/0

no ip address

!

interface FastEthernet0/1

no ip address

shutdown

!

interface Serial1/0

bandwidth 512

ip address 10.0.0.1 255.255.255.0

!        

interface Serial1/1

no ip address

shutdown

!

interface Serial1/2

no ip address

shutdown

!

interface Serial1/3

no ip address

shutdown

!

!

end

As you can see, the command output contains only the specific commands from the configuration that have been explicitly allowed using the privilege commands. Using the 'all' keyword in the privilege specification may help in simplifying the explicit list of sections that should be visible in the output, for example, privilege configure all level 5 interface - this will allow all interfaces and their internal configuration to be seen. There is no easy way to make the entire running-config to be visible in privilege levels less than 15.

The privilege command can also be used to assign a privilege level to a username so that when a user logs in with the username, the session will run at the privilege level specified by the privilege command. For example if you want your technical support staff to view the configuration on a networking device to help them troubleshoot network problems without being able to modify the configuration, you can create a username, configure it with privilege level 15, and configure it to run the show running-config command automatically. When a user logs in with the username the running configuration will be displayed automatically.

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin-top:0in; mso-para-margin-right:0in; mso-para-margin-bottom:10.0pt; mso-para-margin-left:0in; line-height:115%; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin;}
Average Rating: 5 (1 ratings)

Comments

jkoolwal Thu, 10/17/2013 - 20:28

Very useful article...just one tip about -

The privilege command can also be used to assign a privilege level to a username so that when a user logs in with the username, the session will run at the privilege level specified by the privilege command

This is not changed by the privilege command but instead by using the privilege keyword in the username command. Here is an example -

username OPERATOR privilege 15

Actions

Login or Register to take actions

This Document

Posted January 17, 2011 at 11:09 PM
Stats:
Comments:1 Avg. Rating:5
Views:22603 Contributors:1
Shares:0

Related Content

Documents Leaderboard

Rank Username Points
1 177
2 64
3 60
4 50
5 23
Rank Username Points
5
0