AAA Local Command Authorization

Cisco IOS allows authorization of commands without using an external TACACS+ server. Cisco routers and switches work with privilege levels, by default there are 16 privilege levels and even without thinking about it you are probably already familiar with 3 of them:

  • Level 0: Only a few commands are available, the most used command is probably ‘enable’.
  • Level 1: This is the default exec user level. You can use some of the show commands but you won’t be able to configure anything.
  • Level 15: The highest privilege level, also known as “enable mode” or “privileged mode“.

Higher privilege levels will support all the commands of the lower privilege levels. For example, privilege level 8 will include all the commands of level 0 – 7.

Privilege level 15 will have all the commands of level 0 – 14 and so on.

Creating different privilege levels is a good idea if you work with different user groups. You probably only want your senior network engineers to have privilege level 15 and your junior network engineers a lower privilege level so they don’t have access to all commands.

If you want to assign commands to a certain privilege level, you have a couple of options:

  • You can assign some privilege level 15 commands to level 1 so that all users that are allowed to log in to the router can use them.
  • You can move some commands from level 1 to a higher level so that you can disallow some commands for level 1 users.
  • You can create a new privilege level and assign some level 15 commands to it.

When you are going to assign commands to different privilege levels you need to understand that IOS has two modes:

  • Exec Mode
  • Configuration Mode

Exec mode will look like this:

Router#

And configuration mode looks like this:

Router(config)#

Each “mode” also has different “sub-modes” like the interface configuration:

Router(config-if)#

Commands also have a certain structure that you need to understand. Basically commands look like this:

command sub-command [arguments] [arguments-values] [options]

To give you an example, think about configuring an IP address:

Rack1SW1(config-if)#ip address 192.168.1.1 255.255.255.0

We can break it down like this:

  • ip = command.
  • address = sub-command.
  • 192.168.1.1 255.255.255.0 = arguments.
  • secondary = options (not shown in my example)

When I assign a command to a privilege level, I can select the entire “ip” command or only the “ip address” sub-command. If I give someone the entire “ip” command they can also configure things like “ip unreachables” or “ip arp” and so on.

Let’s take a look at a couple of examples of moving commands and creating new privilege levels shall we?

Configuration

First we’ll check what our privilege level is, you can do it like this:

Router>show privilege
Current privilege level is 1

Use the show privilege command to check your privilege level. By default once you are logged in you will be in level 1. Let’s go to enable mode now:

Router>enable
Router#show privilege 
Current privilege level is 15

And as you can see enable has privilege level 15.

We’ll start with a simple example. I’m going to give privilege level 1 users the power to use the show running-configuration command. This is how we do it:

Router(config)#privilege exec level 1 show running-config

All level 1 users now are able to use the show running-config command. Not a very wise idea but it’ll work:

Router>show running-config 
Building configuration...

Current configuration : 53 bytes
!
boot-start-marker
boot-end-marker
!

We can also take commands away from the level 1 users. Let’s say I don’t want them to use “show ip arp”. We’ll do it like this:

Router(config)#privilege exec level 15 show ip arp 

Level 1 users will discover that they can’t use show ip arp anymore:

Router>show ip arp
        ^
% Invalid input detected at '^' marker.

Now you have seen how to add or remove commands to a certain privilege level. How about we create a user with a new privilege level that has access only to a couple commands? We’ll create a new user account that is allowed to do these things:

  • Shutdown or no shutdown an interface.
  • Use the debug ip routing command.
  • Disable all debugging
  • Use the show running-configuration command.

I will create a new username for this with a new privilege level, here’s how to do it:

Router(config)#username JUNIOR privilege 8 password CISCO

First we’ll create a new user account called JUNIOR. I’ll assign this user privilege level 8. Now we’ll add some commands to it:

Router(config)#privilege exec level 8 configure terminal
Router(config)#privilege exec level 8 debug ip routing  
Router(config)#privilege exec level 8 undebug all     
Router(config)#privilege exec level 8 show running-config

The commands above are for exec mode. I still have to add some commands for the configuration mode:

We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You've Ever Spent on Your Cisco Career!
  • Full Access to our 651 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)

567 Sign Ups in the last 30 days

satisfaction-guaranteed
100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!

Forum Replies

  1. Hi Rene, can you write commands about SSH user wich have different privilage level. for example one user is root and one user is guest, guest must have some restricted commands

  2. Based on George’s reply I tried to create two usernames with differents privilege leves:

    username newbie privilege 8 secret 5 $1$BiPz$TLuUEbPhyDEgnwQiOC5y0/ (cisco) 
    username senior privilege 15 secret 5 $1$G2Ym$.1hVi/NAd1qz2/FBS7xaO0 (cisco)
    

    I want user newibe to able to enter show commads :

    privilege exec level 8 show

    I wanted user senior to able to enter configure commands :

    privilege exec level 15 configure

    Then I enter the AAA configuration :

    aaa new-model
    
    aaa authentication login list1 local
    
    aaa authorization exec l1 local
    

    Then I Applied it to the l

    ... Continue reading in our forum

  3. Hi Rene,

    Pretty much I wanted different users to be able to access the device via telnet, I wanted user newbie to be able to just execute show commands, then I wanted user senior to have full rights, I mean to able to execute any command.

    I understood my mistake, I already configured the default view and the “client” view

    aaa authentication login list_1 local
    
    enable secret 5 $1$wxp3$S6xiGOONqckW8nW1UvOD00 (ena)
    
    
    username cisco secret 5 $1$GeiB$esuKyqDcf.Q1xyKyHifRx0
    username client privilege 15 view client secret 5 $1$O0ES$Lk3l5Dap7UWiJoudqQXeV1
    
    line vty 15
    
    ... Continue reading in our forum

  4. Rene,
    Great lesson however, I have question. During my test I created a user with level 2 privilege and I want user to only use the following commands.
    “sh ip interface brief” and “configure terminal”
    But when I was configuring I configured only " sh ip interface brief" and configure terminal. After that when I did show run I found extra lines in the configs which includes
    “show IP” and “show”. I was able to block only “show run” and rest of the commands are available e.g sh ip arp etc.

    In my opinion I should be able to see only " configure terminal

    ... Continue reading in our forum

16 more replies! Ask a question or join the discussion by visiting our Community Forum