Cisco IOS allows authorization of commands without using an external TACACS+ server. Cisco routers and switches work with privilege levels, by default there are 16 privilege levels and even without thinking about it you are probably already familiar with 3 of them:
- Level 0: Only a few commands are available, the most used command is probably ‘enable’.
- Level 1: This is the default exec user level. You can use some of the show commands but you won’t be able to configure anything.
- Level 15: The highest privilege level, also known as “enable mode” or “privileged mode“.
Higher privilege levels will support all the commands of the lower privilege levels. For example, privilege level 8 will include all the commands of level 0 – 7.
Privilege level 15 will have all the commands of level 0 – 14 and so on.
Creating different privilege levels is a good idea if you work with different user groups. You probably only want your senior network engineers to have privilege level 15 and your junior network engineers a lower privilege level so they don’t have access to all commands.
If you want to assign commands to a certain privilege level, you have a couple of options:
- You can assign some privilege level 15 commands to level 1 so that all users that are allowed to log in to the router can use them.
- You can move some commands from level 1 to a higher level so that you can disallow some commands for level 1 users.
- You can create a new privilege level and assign some level 15 commands to it.
When you are going to assign commands to different privilege levels you need to understand that IOS has two modes:
- Exec Mode
- Configuration Mode
Exec mode will look like this:
And configuration mode looks like this:
Each “mode” also has different “sub-modes” like the interface configuration:
Commands also have a certain structure that you need to understand. Basically commands look like this:
command sub-command [arguments] [arguments-values] [options]
To give you an example, think about configuring an IP address:
Rack1SW1(config-if)#ip address 192.168.1.1 255.255.255.0
We can break it down like this:
- ip = command.
- address = sub-command.
- 192.168.1.1 255.255.255.0 = arguments.
- secondary = options (not shown in my example)
When I assign a command to a privilege level, I can select the entire “ip” command or only the “ip address” sub-command. If I give someone the entire “ip” command they can also configure things like “ip unreachables” or “ip arp” and so on.
Let’s take a look at a couple of examples of moving commands and creating new privilege levels shall we?
First we’ll check what our privilege level is, you can do it like this:
Router>show privilege Current privilege level is 1
Use the show privilege command to check your privilege level. By default once you are logged in you will be in level 1. Let’s go to enable mode now:
Router>enable Router#show privilege Current privilege level is 15
And as you can see enable has privilege level 15.
We’ll start with a simple example. I’m going to give privilege level 1 users the power to use the show running-configuration command. This is how we do it:
Router(config)#privilege exec level 1 show running-config
All level 1 users now are able to use the show running-config command. Not a very wise idea but it’ll work:
Router>show running-config Building configuration... Current configuration : 53 bytes ! boot-start-marker boot-end-marker !
We can also take commands away from the level 1 users. Let’s say I don’t want them to use “show ip arp”. We’ll do it like this:
Router(config)#privilege exec level 15 show ip arp
Level 1 users will discover that they can’t use show ip arp anymore:
Router>show ip arp ^ % Invalid input detected at '^' marker.
Now you have seen how to add or remove commands to a certain privilege level. How about we create a user with a new privilege level that has access only to a couple commands? We’ll create a new user account that is allowed to do these things:
- Shutdown or no shutdown an interface.
- Use the debug ip routing command.
- Disable all debugging
- Use the show running-configuration command.
I will create a new username for this with a new privilege level, here’s how to do it:
Router(config)#username JUNIOR privilege 8 password CISCO
First we’ll create a new user account called JUNIOR. I’ll assign this user privilege level 8. Now we’ll add some commands to it:
Router(config)#privilege exec level 8 configure terminal Router(config)#privilege exec level 8 debug ip routing Router(config)#privilege exec level 8 undebug all Router(config)#privilege exec level 8 show running-config
The commands above are for exec mode. I still have to add some commands for the configuration mode: