Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

AAA Local Authorization....

Hello all. Hopefully, this will prove to be an easy question with a simple answer!

I want to configure local username/passwords on my router, with different privilege levels. For example username admin is only allowed to access privilege level 1 commands, and username engineer is allowed to enter all comands (level 15). However, when I test this via console or telnet, both go into user mode to start with (Router>) and I can enter enable mode on both username logins by entering the enable password (Router#). Therefore, both username's have the same access rights (to all commands) even though they have different privilege levels. I thought the privilege level 1 account would not be allowed to issue level15 commands?

Can anyone point me in the right direction.....


aaa new-model

aaa authentication login default local

aaa authorization commands 1 default local

aaa authorization commands 15 default local

enable secret test


username admin privilege 1 password cisco1

username engineer privilege 15 password cisco2



Hall of Fame Super Silver

Re: AAA Local Authorization....


It seems to me that there is a fairly simple solution to your situation: do not give the enable password to users who should be restricted to level 1 commands.

No matter what privilege level they start at, anyone who can enter the correct enable password (or enable secret) will gain level 15 access.



New Member

Re: AAA Local Authorization....

Thanks Rick for the response. Like you say, there is a simple solution, but it makes me wonder why would you want to configure a privilege level if it doesn't have any effect?

Or does it have its uses elsewhere.....

New Member

Re: AAA Local Authorization....

Just typing enable defaults to enable 15

Careful look at the following commands should answer your question

Router6>enable ?

<0-15> Enable level

Router6(config)#enable password ?

0 Specifies an UNENCRYPTED password will follow

7 Specifies a HIDDEN password will follow

LINE The UNENCRYPTED (cleartext) 'enable' password

level Set exec level password

Router6(config)#enable password le

Router6(config)#enable password level ?

<1-15> Level number


New Member

Re: AAA Local Authorization....

Is your ACS server configured with advanced tacacs+ settings? If so, under user setup, you can select "No enable privilege". They will not be allowed to enter enable mode even if they enter the correct password. With regard to local usernames and passwords, it only states what level they can start at. If they know the enable password, then they can get to enable mode.

New Member

Re: AAA Local Authorization....


The privilege levels are used when you do not want to give full level 15 access to someone but only some commands.

For example you may want a tech. to be able to change the bandwidth of an interface and nothing else. So we reduce the privilege level of the interface bandwidth command to say 10 and give the tech level 10 access.

CreatePlease to create content