AAA Local Command Authorization

Cisco IOS allows authorization of commands without using an external TACACS+ server. Cisco routers and switches work with privilege levels. By default, there are 16 privilege levels, and even without thinking about it, you are probably already familiar with three of them:

  • Level 0: Only a few commands are available. The most used command is probably enable.
  • Level 1: This is the default exec user level. You can use some of the show commands, but you won’t be able to configure anything.
  • Level 15: The highest privilege level, also known as “enable mode” or “privileged mode“.

Higher privilege levels will support all the commands of the lower privilege levels. For example, privilege level 8 will include all the commands of level 0 – 7.

Privilege level 15 will have all the commands of level 0 – 14 and so on.

Different privilege levels are a good idea if you work with different user groups. You probably only want your senior network engineers to have privilege level 15 and your junior network engineers a lower privilege level, so they don’t have access to all commands.

If you want to assign commands to a certain privilege level, you have a couple of options:

  • You can assign some privilege level 15 commands to level 1 so that all users that are allowed to log in to the router can use them.
  • You can move some commands from level 1 to a higher level so that you can disallow some commands for level 1 users.
  • You can create a new privilege level and assign some level 15 commands to it.

When you are going to assign commands to different privilege levels, you need to understand that IOS has two modes:

  • Exec Mode
  • Configuration Mode

Exec mode will look like this:

Router#

And configuration mode looks like this:

Router(config)#

Each “mode” also has different “sub-modes” like the interface configuration:

Router(config-if)#

Commands also have a certain structure that you need to understand. Basically, commands look like this:

command sub-command [arguments] [arguments-values] [options]

To give you an example, think about configuring an IP address:

Rack1SW1(config-if)#ip address 192.168.1.1 255.255.255.0

We can break it down like this:

  • ip = command.
  • address = sub-command.
  • 192.168.1.1 255.255.255.0 = arguments.
  • secondary = options (not shown in my example)

When I assign a command to a privilege level, I can select the entire “ip” command or only the “ip address” sub-command. If I give someone the entire “ip” command, they can also configure things like “ip unreachables” or “ip arp” and so on.

Let’s take a look at a couple of examples of moving commands and creating new privilege levels, shall we?

Configuration

First, we’ll check what our privilege level is. You can do it like this:

Router>show privilege
Current privilege level is 1

Use the show privilege command to check your privilege level. By default, once you are logged in, you will be in level 1. Let’s go to enable mode now:

Router>enable
Router#show privilege 
Current privilege level is 15

And as you can see, enable has privilege level 15.

We’ll start with a simple example. I’m going to give privilege level 1 users the power to use the show running-configuration command. This is how we do it:

Router(config)#privilege exec level 1 show running-config

All level 1 users now are able to use the show running-config command. Not a very wise idea, but it’ll work:

Router>show running-config 
Building configuration...

Current configuration : 53 bytes
!
boot-start-marker
boot-end-marker
!

We can also take commands away from the level 1 users. Let’s say I don’t want them to use “show ip arp”. We’ll do it like this:

Router(config)#privilege exec level 15 show ip arp 

Level 1 users will discover that they can’t use show ip arp anymore:

Router>show ip arp
        ^
% Invalid input detected at '^' marker.

Now you have seen how to add or remove commands to a certain privilege level. How about we create a user with a new privilege level that can only access a couple of commands? We’ll create a new user account that is allowed to do these things:

  • Shutdown or no shutdown of an interface.
  • Use the debug ip routing command.
  • Disable all debugging
  • Use the show running-configuration command.

I will create a new username for this with a new privilege level. Here’s how to do it:

Router(config)#username JUNIOR privilege 8 password CISCO

First, we’ll create a new user account called JUNIOR. I’ll assign this user privilege level 8. Now we’ll add some commands to it:

Router(config)#privilege exec level 8 configure terminal
Router(config)#privilege exec level 8 debug ip routing  
Router(config)#privilege exec level 8 undebug all     
Router(config)#privilege exec level 8 show running-config

The commands above are for exec mode. I still have to add some commands for the configuration mode:

We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now!

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You’ve Ever Spent on Your Cisco Career!
  • Full Access to our 801 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)
510 Sign Ups in the last 30 days
satisfaction-guaranteed

  • 100% Satisfaction Guaranteed!
  • You may cancel your monthly membership at any time.
  • No Questions Asked!

Tags: ,


Forum Replies

  1. Very well written, thanks !!

  2. Hey Rene,

    Is there a show command or an overview that show all available commands for each privilege level?
    For instance:

    Show commands privilege level 7
    ???

  3. Hi Bülent,

    Hmm I don’t think there is, what I normally do is a quick “sh run | incl privilege” on the router and it will show you all the commands that have been moved to different privilege levels.

    Rene

24 more replies! Ask a question or join the discussion by visiting our Community Forum