Browse All Articles
> Priviledge Levels In Cisco Devices
I will try and make this as short as possible and therefore not go into too much details.The pertinent Cisco articles are attached as PDF files in case the links break.
This question comes up very frequently and I feel the need to post a simplified answers and instructions.
I will start off with an exerpt from the Cisco Guide > Cisco IOS Security Configuration Guide, Release 12.2, Part 5,
I attached the chapter separately > Configuring Passwords and Privileges > Page 4 Configuring Multiple Privilege Levels
By default, the Cisco IOS software command-line interface (CLI) has two levels of access to commands: user EXEC mode (level 1) and privileged EXEC mode (level 15). However, you can configure additional levels of access to commands, called privilege levels, to meet the needs of your users while protecting the system from unauthorized access. Up to 16 privilege levels can be configured, from level 0, which is the most restricted level, to level 15, which is the least restricted level.
I believe Cisco may not not have posted a comprehensive list or set of available commands for each level, at least to the public for reasons that may include the following:
- New commands get introduced very frequently and some are taken out or retired though not as frequently but as the technology sunsets
- Some commands are only available to a version of IOS even on the same platform while some commands are only available on certain platforms.
- A comprehensive list will be a little cumbersome and will require frequent edits per IOS version, IOS type and per platform. Most administrators may never even use 10% of all commands on a device anyways.
Three basic default levels made available therefore include: None (0), Least (1) and Most (15)
to simplify the matter. In other words, 0 = No EXEC Mode, 1 = User EXEC Mode, and 15 = Privileged EXEC Mode. None or Level 0 comes very handy with Remote Access VPN users to whom you really don't want to have access to console into your Device. This can be categorized as No user access or privileged access to console ports.
This raises the popular question, "What are the levels of access for Level 1 or Level 15" or the Levels 2 through 14 in between?" Great Question from great minds. As stated in the exerpt pasted above, it's an issue of All, Nothing or the least dangerous Access. Cisco then leaves you as an administrator to grant access as desired. Administrators therefore has the ability to modify Levels 2 through 14, which by default has the same access as Level 1.
How in the world then do you modify the access levels from 2 through 14?
I'm glad you asked :)
This is better explained with examples.
R6(config)#privilege router level 15
This sets the "Router" command to only be accessible to level 15 users
R6(config)#privilege dhcp level 10
This sets the "DHCP" command to only be accessible to level 10 users and above
Assigning users to privilege levels
R6(config)#username Tech Privilege 10 secret Cisco
This creates (if user does not exist currently) or modifies (If user already exists) the user Tech with privilege level 10 and and encrypted password of Cisco