Cisco IOS Access Privilege Levels

In Cisco IOS's prior to 10.3 only two levels of access privilege was there: user exec mode or level 1 and full privilege mode or level15. When there is only one administrator to mange all the devices, this do not create any problem. But in a NOC (Network Operations Centre) environment where there are a number of administrators with different levels of privileges, this is insufficient. This is where the access privilege levels come into use.

There are 15 levels of privilege in Cisco IOS from level 1 to level 15. For all the levels in between , we can assign commands that users at each privilege level can use.

Configuration

To access a router you have to use a router line. Most common router lines are:
Console- connecting through the routers console port
Auxilary- connect to the routers auxilary port (most probably through a dial up connection)
Vty-Virtual tele type, connecting by telnet from another machine

Whichever line you use, you will be prompted for the corresponding line password. Once given the password you will get access to privilege level 1 ie;User exec mode (default, can be changed)

The first thing to do is set password for each level of privilege.

Press RETURN to get started!

User Access Verification

Password:
RouterA>enable \\User exec mode, go to privleged exec mode-level 15
password:
RouterA#configure terminal \\Enter configure command mode
RouterA(config)#enable [password|seccret] [level X] password

where X is any number between 1 to 15.
If "level X" is omitted, level 15 will be taken as default
If "eanble password" is the command, password will be stored as plain text.
If "enable secret" is used, password will be stored with reversible encryption. "enable secret" takes precedence over "eanble password".

Eg:
RouterA(config)#enable secret level 7 &2lvl7pass$#!

which set the level 7 password to "&2lvl7pass$#!"

If you hav'nt set the password for a particular privilege level, you cant access that level. Suppose you hav'nt set password for level 9, then:
RouterA>enable 9
%Password not set
RouterA>

After this we can assign commands to different privilege levels.

RouterA(config)#privilege mode level levelnum command

where mode is the command mode from any one of the following:
exec,config,line,inteface,router etc..

Eg:

Suppose we have to allow an administrator at level 7 to change the ip address of the router interfaces.
RouterA(config)#privilege exec level 7 configure terminal
RouterA(config)#privilege configure level 7 interface
RouterA(config)#privilege interface level 7 ip address

Command 1: By default every user is logged into exec mode, now to configure ip address on interface, the user should have permission go to configure mode from exec mode using the command "configure terminal"
Command 2: From configure mode user has to go to inrerface mode for which he need the permission to use the command "interface"
Command 3: Now since the user has the permission to go to the interface mode, he should be granted the permission to set the ip address from there.

now let the administrator at level 7 login into the router through telnet

[admin7@LinuxBox1 ~]$telnet RouterA
Trying 192.168.0.14...
Connected to RouterA (192.168.0.14).
Escape character is '^]'.

Welcome to RouterA

password:
RouterA>show privilege
Your current privilege level is 1

admin7 has logged into router through telnet. Now go to the privilege level 7

RouterA>enable 7
password:
RouterA#show privilege
Your current privilege level is 7
RouterA#configure terminal
RouterA(config)#interface eth1
RouterA(config-if)#?
Interface configuration commands:
exit Exit from interface configuration mode
help Description of the interactive help system
ip Interface Internet Protocol config commands
no Negate a command or set its defaults
RouterA(config-if)#ip address 192.168.2.25 255.255.255.0

When a a command is assigned for a particular privilege level, all the privilege levels above that will automatically get the permission to use that command. In the previous example administrators above level 7 (8-14) will also be able to go to interface mode to set the ip address.

Similarly, administrator at level7 will have the permission to use all the commands configured for privilege levels lower that 7.

If you have passwords for differnt privilege levels you can switch between them using the enable and disable commands

RouterA#show privilege
Your current privilege level is 7
RouterA#enable 12
password:
RouterA#show privilege
Your current privilege level is 12
RouterA#disable 4
password:
RouterA#show privilege
Your current privilege level is 4
RouterA#enable 1
password:
RouterA>show privilege
Your current privilege level is 1

enable commnad can be used to go to privilege levels above or below the current level, but disable can be used only to go to a lower level. For enable the default privlege level is 15 and for disable it is level 1. This values will be used if you do not provide the level option.

The default privilege level for the router lines (console, auxilary,vty) is set to level 1. This behaviour can be reset as follows:

Suppose you want to change the default privilege level for telnet access to level 5. Beware, this will allow anybody with telent password to directly go to the privilege level 5. If you do not know what exactly do you need, never do this!

RouterA#configure terminal
RouterA(config)#line vty 0 197
RouterA(config-line)#privilege level 5

[admin7@LinuxBox1 ~]$telnet RouterA
Trying 192.168.0.14...
Connected to RouterA (192.168.0.14).
Escape character is '^]'.

Welcome to RouterA

password:
RouterA#show privilege
Your current privilege level is 5