AAA authorization for line command privilege level

Posted on 2003-11-07
Medium Priority
Last Modified: 2012-06-27
Can some one tell me where to get information on how this option works?  I have tried to configure this with local authorization via 'username priv level' command and when I apply either default level 0,1, or 15, I still have access to the entire router.  

The text below is from Cisco's web site and is the function I am trying to use.

commands:  Enables authorization on the selected line(s) for all commands at the specified privilege level.
level:  Specific command level to be authorized. Valid entries are 0 through 15.

Question by:benje02
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2

Accepted Solution

sheahmed earned 500 total points
ID: 9706235
Jerri ...

command to restrict the telnet application, which is allowed at the user mode, was “privilege exec level 15 telnet”. This command, in a nut shell, restricted telnet to the enable mode, the highest level of access.

With the privilege exec level command, you can configure commands to run in other than
their default mode. The format is as follows:

Router (config)# privilege exec level level command

For example, the ping command works for both modes. Let’s say for some reason, you
may want to restrict the ping command to only be executed in the enable mode. You
would type in at the global configuration mode “privilege exec level 15 ping”. The
number 15 represents the highest level of the 16 possible hierarchical levels of modes.
And this highest mode, 15, can only be accessed with the enable password. The levels
that can be configured are 0 to 15. Level 1 is the normal user mode. Level 0, which is
rarely used has 5 commands associated with it which are disable, enable, exit, help, and
logout. In the following example, the router is logged in at level 0 and only 5 commands
are allowed. Even the “show privilege” command which shows what privilege level you
are logged in as, is not allowed.

Exec commands:
disable Turn off privileged commands
enable Turn on privileged commands
exit Exit from the EXEC
help Description of the interactive help system
logout Exit from the EXEC

Router>show privilege
% Invalid input detected at '^' marker.

With 16 possible levels, you can configure multiple levels of command access and
users/passwords to access those levels. For example, with the ping command, we can set
it to level 7 by typing in “privilege exec level 7 ping”. And the password to get to level 7
can be set by “enable password level 7 password”. To access a level, from the prompt,
type “enable 7” and the password associated with that level once prompted. Ping can
then be executed from level 7 and up. Usernames with corresponding passwords can be
set to a specific level. In the global configuration mode, as part of the username-based
authentication system and after entering “username name password password” , type
“username name privilege level”. The user specified will automatically login at the
specified privilege level.

An important thing to remember when setting a command at a certain level, all subsets of
that command are also set to that level. That is, if you set “show ip route” to level 7, all
show commands and show ip commands are automatically set to level 7 unless the
commands are set individually at different levels.

For example:
The command in the following exampl e places all show ip commands, whi ch includes all show commands,
at privilege level 7:
privilege exec level 7 show ip rout e
This is the same as following command:
privilege exec level 7 show

The commands in the following exampl e place “ show ip route” at level 7 and the “ show” and “ show ip”
commands at level 1:
privilege exec level 7 show ip rout e
privilege exec level 1 show ip
privilege exec level 1 show

Privilege levels can also be set on lines. By going to the line configuration and typing
“ privilege level level”

a default privilege level is speci fi ed for that line.

hope your confusion is resolved ...

Sheeraz Ahmed

Expert Comment

ID: 9706261
i dont know why theses characters (&#8217 etc) are here in the text ...
moderators should look into this problem ... and also ... font size of the site are larege and are very annoying .. Kindly revert to the previous site .. or allow us to switch between previous or the current template ... as many of us have sentimental association with the previous one ...

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question