AAA authorization for line command privilege level

Posted on 2003-11-07
Medium Priority
Last Modified: 2012-06-27
Can some one tell me where to get information on how this option works?  I have tried to configure this with local authorization via 'username priv level' command and when I apply either default level 0,1, or 15, I still have access to the entire router.  

The text below is from Cisco's web site and is the function I am trying to use.

commands:  Enables authorization on the selected line(s) for all commands at the specified privilege level.
level:  Specific command level to be authorized. Valid entries are 0 through 15.

Question by:benje02
  • 2

Accepted Solution

sheahmed earned 500 total points
ID: 9706235
Jerri ...

command to restrict the telnet application, which is allowed at the user mode, was “privilege exec level 15 telnet”. This command, in a nut shell, restricted telnet to the enable mode, the highest level of access.

With the privilege exec level command, you can configure commands to run in other than
their default mode. The format is as follows:

Router (config)# privilege exec level level command

For example, the ping command works for both modes. Let’s say for some reason, you
may want to restrict the ping command to only be executed in the enable mode. You
would type in at the global configuration mode “privilege exec level 15 ping”. The
number 15 represents the highest level of the 16 possible hierarchical levels of modes.
And this highest mode, 15, can only be accessed with the enable password. The levels
that can be configured are 0 to 15. Level 1 is the normal user mode. Level 0, which is
rarely used has 5 commands associated with it which are disable, enable, exit, help, and
logout. In the following example, the router is logged in at level 0 and only 5 commands
are allowed. Even the “show privilege” command which shows what privilege level you
are logged in as, is not allowed.

Exec commands:
disable Turn off privileged commands
enable Turn on privileged commands
exit Exit from the EXEC
help Description of the interactive help system
logout Exit from the EXEC

Router>show privilege
% Invalid input detected at '^' marker.

With 16 possible levels, you can configure multiple levels of command access and
users/passwords to access those levels. For example, with the ping command, we can set
it to level 7 by typing in “privilege exec level 7 ping”. And the password to get to level 7
can be set by “enable password level 7 password”. To access a level, from the prompt,
type “enable 7” and the password associated with that level once prompted. Ping can
then be executed from level 7 and up. Usernames with corresponding passwords can be
set to a specific level. In the global configuration mode, as part of the username-based
authentication system and after entering “username name password password” , type
“username name privilege level”. The user specified will automatically login at the
specified privilege level.

An important thing to remember when setting a command at a certain level, all subsets of
that command are also set to that level. That is, if you set “show ip route” to level 7, all
show commands and show ip commands are automatically set to level 7 unless the
commands are set individually at different levels.

For example:
The command in the following exampl e places all show ip commands, whi ch includes all show commands,
at privilege level 7:
privilege exec level 7 show ip rout e
This is the same as following command:
privilege exec level 7 show

The commands in the following exampl e place “ show ip route” at level 7 and the “ show” and “ show ip”
commands at level 1:
privilege exec level 7 show ip rout e
privilege exec level 1 show ip
privilege exec level 1 show

Privilege levels can also be set on lines. By going to the line configuration and typing
“ privilege level level”

a default privilege level is speci fi ed for that line.

hope your confusion is resolved ...

Sheeraz Ahmed

Expert Comment

ID: 9706261
i dont know why theses characters (&#8217 etc) are here in the text ...
moderators should look into this problem ... and also ... font size of the site are larege and are very annoying .. Kindly revert to the previous site .. or allow us to switch between previous or the current template ... as many of us have sentimental association with the previous one ...

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

In the hope of saving someone else's sanity... About a year ago we bought a Cisco 1921 router with two ADSL/VDSL EHWIC cards to load balance local network traffic over the two broadband lines we have, but we couldn't get the routing to work consi…
There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

587 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question