AAA authorization for line command privilege level

Posted on 2003-11-07
Medium Priority
Last Modified: 2012-06-27
Can some one tell me where to get information on how this option works?  I have tried to configure this with local authorization via 'username priv level' command and when I apply either default level 0,1, or 15, I still have access to the entire router.  

The text below is from Cisco's web site and is the function I am trying to use.

commands:  Enables authorization on the selected line(s) for all commands at the specified privilege level.
level:  Specific command level to be authorized. Valid entries are 0 through 15.

Question by:benje02
  • 2

Accepted Solution

sheahmed earned 500 total points
ID: 9706235
Jerri ...

command to restrict the telnet application, which is allowed at the user mode, was “privilege exec level 15 telnet”. This command, in a nut shell, restricted telnet to the enable mode, the highest level of access.

With the privilege exec level command, you can configure commands to run in other than
their default mode. The format is as follows:

Router (config)# privilege exec level level command

For example, the ping command works for both modes. Let’s say for some reason, you
may want to restrict the ping command to only be executed in the enable mode. You
would type in at the global configuration mode “privilege exec level 15 ping”. The
number 15 represents the highest level of the 16 possible hierarchical levels of modes.
And this highest mode, 15, can only be accessed with the enable password. The levels
that can be configured are 0 to 15. Level 1 is the normal user mode. Level 0, which is
rarely used has 5 commands associated with it which are disable, enable, exit, help, and
logout. In the following example, the router is logged in at level 0 and only 5 commands
are allowed. Even the “show privilege” command which shows what privilege level you
are logged in as, is not allowed.

Exec commands:
disable Turn off privileged commands
enable Turn on privileged commands
exit Exit from the EXEC
help Description of the interactive help system
logout Exit from the EXEC

Router>show privilege
% Invalid input detected at '^' marker.

With 16 possible levels, you can configure multiple levels of command access and
users/passwords to access those levels. For example, with the ping command, we can set
it to level 7 by typing in “privilege exec level 7 ping”. And the password to get to level 7
can be set by “enable password level 7 password”. To access a level, from the prompt,
type “enable 7” and the password associated with that level once prompted. Ping can
then be executed from level 7 and up. Usernames with corresponding passwords can be
set to a specific level. In the global configuration mode, as part of the username-based
authentication system and after entering “username name password password” , type
“username name privilege level”. The user specified will automatically login at the
specified privilege level.

An important thing to remember when setting a command at a certain level, all subsets of
that command are also set to that level. That is, if you set “show ip route” to level 7, all
show commands and show ip commands are automatically set to level 7 unless the
commands are set individually at different levels.

For example:
The command in the following exampl e places all show ip commands, whi ch includes all show commands,
at privilege level 7:
privilege exec level 7 show ip rout e
This is the same as following command:
privilege exec level 7 show

The commands in the following exampl e place “ show ip route” at level 7 and the “ show” and “ show ip”
commands at level 1:
privilege exec level 7 show ip rout e
privilege exec level 1 show ip
privilege exec level 1 show

Privilege levels can also be set on lines. By going to the line configuration and typing
“ privilege level level”

a default privilege level is speci fi ed for that line.

hope your confusion is resolved ...

Sheeraz Ahmed

Expert Comment

ID: 9706261
i dont know why theses characters (&#8217 etc) are here in the text ...
moderators should look into this problem ... and also ... font size of the site are larege and are very annoying .. Kindly revert to the previous site .. or allow us to switch between previous or the current template ... as many of us have sentimental association with the previous one ...

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

New Server  was moved from behind Router R2 f0/1 to behind router R1 int f/01 and has now address But we want users still to be able to connected to it by old IP. How to do it ? We can used destination NAT (DNAT).  In DNAT…
Hello , This is a short article on how would you go about enabling traceoptions on a Juniper router . Traceoptions are similar to Cisco debug commands but these traceoptions are implemented in Juniper networks router . The following demonstr…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question