Solved

AAA authorization for line command privilege level

Posted on 2003-11-07
2
626 Views
Last Modified: 2012-06-27
Can some one tell me where to get information on how this option works?  I have tried to configure this with local authorization via 'username priv level' command and when I apply either default level 0,1, or 15, I still have access to the entire router.  


The text below is from Cisco's web site and is the function I am trying to use.

commands:  Enables authorization on the selected line(s) for all commands at the specified privilege level.
 
level:  Specific command level to be authorized. Valid entries are 0 through 15.

Thanks,
Jerri
 
0
Comment
Question by:benje02
  • 2
2 Comments
 
LVL 3

Accepted Solution

by:
sheahmed earned 125 total points
ID: 9706235
Jerri ...

command to restrict the telnet application, which is allowed at the user mode, was “privilege exec level 15 telnet”. This command, in a nut shell, restricted telnet to the enable mode, the highest level of access.

With the privilege exec level command, you can configure commands to run in other than
their default mode. The format is as follows:

Router (config)# privilege exec level level command

For example, the ping command works for both modes. Let’s say for some reason, you
may want to restrict the ping command to only be executed in the enable mode. You
would type in at the global configuration mode “privilege exec level 15 ping”. The
number 15 represents the highest level of the 16 possible hierarchical levels of modes.
And this highest mode, 15, can only be accessed with the enable password. The levels
that can be configured are 0 to 15. Level 1 is the normal user mode. Level 0, which is
rarely used has 5 commands associated with it which are disable, enable, exit, help, and
logout. In the following example, the router is logged in at level 0 and only 5 commands
are allowed. Even the “show privilege” command which shows what privilege level you
are logged in as, is not allowed.

Router>?
Exec commands:
disable Turn off privileged commands
enable Turn on privileged commands
exit Exit from the EXEC
help Description of the interactive help system
logout Exit from the EXEC

Router>show privilege
^
% Invalid input detected at '^' marker.

With 16 possible levels, you can configure multiple levels of command access and
users/passwords to access those levels. For example, with the ping command, we can set
it to level 7 by typing in “privilege exec level 7 ping”. And the password to get to level 7
can be set by “enable password level 7 password”. To access a level, from the prompt,
type “enable 7” and the password associated with that level once prompted. Ping can
then be executed from level 7 and up. Usernames with corresponding passwords can be
set to a specific level. In the global configuration mode, as part of the username-based
authentication system and after entering “username name password password” , type
“username name privilege level”. The user specified will automatically login at the
specified privilege level.

An important thing to remember when setting a command at a certain level, all subsets of
that command are also set to that level. That is, if you set “show ip route” to level 7, all
show commands and show ip commands are automatically set to level 7 unless the
commands are set individually at different levels.

For example:
The command in the following exampl e places all show ip commands, whi ch includes all show commands,
at privilege level 7:
privilege exec level 7 show ip rout e
This is the same as following command:
privilege exec level 7 show

The commands in the following exampl e place “ show ip route” at level 7 and the “ show” and “ show ip”
commands at level 1:
privilege exec level 7 show ip rout e
privilege exec level 1 show ip
privilege exec level 1 show

Privilege levels can also be set on lines. By going to the line configuration and typing
“ privilege level level”

a default privilege level is speci fi ed for that line.

hope your confusion is resolved ...

Sheeraz Ahmed
0
 
LVL 3

Expert Comment

by:sheahmed
ID: 9706261
Att. MODERATORS
i dont know why theses characters (&#8217 etc) are here in the text ...
moderators should look into this problem ... and also ... font size of the site are larege and are very annoying .. Kindly revert to the previous site .. or allow us to switch between previous or the current template ... as many of us have sentimental association with the previous one ...
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now