23
2008
Multiple privilege levels
An article by 
Cisco IOS permits to define multiple privilege levels for different accounts. This could be useful when many people work on the same router / switch, but with different roles (operator, tecnhician, network manager) and there is no time to implement an authentication server.
There are 16 different privilege levels that can be used. Level 0 is user mode. Level 15 is the privileged mode. Level 1 through 14 are available for customization and use.
The command used are:
Ciscozine(config)#privilege mode level level command
Ciscozine(config)#enable secret level level password
The privilege command is used to add authorized IOS commands to each customized levels. The enable secret command defines the secret password needed to access this particular privilege level. The options for these commands are:
- mode: it selects an exec or configuration option that will be included with this privilege level
- level: it defines the privilege level (number between 1 and 14)
- command: it is a specific IOS command at the specified mode that is included in this privilege level
- password: it is the password associated to the level
An example of privilege level configuration:
Ciscozine(config)#privilege interface level 2 ip address
Ciscozine(config)#privilege configure level 2 interface
Ciscozine(config)#privilege exec level 2 configure terminal
Ciscozine(config)#privilege exec level 2 show interfaces
Ciscozine(config)#privilege exec level 2 show running-config
Ciscozine(config)#enable secret level 2 c$sc0Z1Ne
This configuration permit:
- Access configuration mode
- Access the interfaces
- Configure ONLY the IP addresses on the interfaces
Ciscozine(config)#interface fastEthernet 0/0
Ciscozine(config-if)#?
Interface configuration commands:
default Set a command to its defaults
exit Exit from interface configuration mode
help Description of the interactive help system
ip Interface Internet Protocol config commands
no Negate a command or set its defaults
Ciscozine(config-if)#ip ?
Interface IP configuration subcommands:
address Set the IP address of an interface
Ciscozine(config-if)# - Display the interfaces
- Displat the running configuration. Even though the level 2 user can execute the show running-config command, only the configure commands that are permitted are actually displayed. In this example the user would see only IP address information from interfaces in the running configuration.
Ciscozine#sh running-config
Building configuration...
Current configuration : 141 bytes
!
boot-start-marker
boot-end-marker
!
!
!
!
!
!
interface FastEthernet0/0
no ip address
!
interface FastEthernet0/1
no ip address
!
!
end
Ciscozine#
To access a particular privilege level, use the command:
Ciscozine>enable level
Password:
Ciscozine#
Where level in this case is ’2′.
Remember that is not possible to access a customized privilege level that does not have a password.
More info on http://www.cisco.com/…/configuration/guide/scfpass.html
3 Comments + Add Comment
Leave a comment
Archives
- February 2012
- December 2011
- November 2011
- October 2011
- September 2011
- August 2011
- July 2011
- June 2011
- May 2011
- April 2011
- March 2011
- February 2011
- January 2011
- December 2010
- November 2010
- October 2010
- September 2010
- July 2010
- June 2010
- May 2010
- April 2010
- March 2010
- February 2010
- January 2010
- December 2009
- November 2009
- October 2009
- September 2009
- August 2009
- July 2009
- June 2009
- May 2009
- April 2009
- March 2009
- February 2009
- January 2009
- December 2008
- November 2008
- October 2008
- September 2008
Nice article! I’ve wondered how to do this in the past, not that there’s been a need for it specifically.
Trackback
this is a nice article……thanx man
hello, i’m working on helpdesk level 1 & privilege 1, can you give me the supplement command on a router or switch in CLI thanks