AAA authorization for line command privilege level

Can some one tell me where to get information on how this option works?  I have tried to configure this with local authorization via 'username priv level' command and when I apply either default level 0,1, or 15, I still have access to the entire router.  


The text below is from Cisco's web site and is the function I am trying to use.

commands:  Enables authorization on the selected line(s) for all commands at the specified privilege level.
 
level:  Specific command level to be authorized. Valid entries are 0 through 15.

Thanks,
Jerri
 
benje02Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

sheahmedCommented:
Jerri ...

command to restrict the telnet application, which is allowed at the user mode, was “privilege exec level 15 telnet”. This command, in a nut shell, restricted telnet to the enable mode, the highest level of access.

With the privilege exec level command, you can configure commands to run in other than
their default mode. The format is as follows:

Router (config)# privilege exec level level command

For example, the ping command works for both modes. Let’s say for some reason, you
may want to restrict the ping command to only be executed in the enable mode. You
would type in at the global configuration mode “privilege exec level 15 ping”. The
number 15 represents the highest level of the 16 possible hierarchical levels of modes.
And this highest mode, 15, can only be accessed with the enable password. The levels
that can be configured are 0 to 15. Level 1 is the normal user mode. Level 0, which is
rarely used has 5 commands associated with it which are disable, enable, exit, help, and
logout. In the following example, the router is logged in at level 0 and only 5 commands
are allowed. Even the “show privilege” command which shows what privilege level you
are logged in as, is not allowed.

Router>?
Exec commands:
disable Turn off privileged commands
enable Turn on privileged commands
exit Exit from the EXEC
help Description of the interactive help system
logout Exit from the EXEC

Router>show privilege
^
% Invalid input detected at '^' marker.

With 16 possible levels, you can configure multiple levels of command access and
users/passwords to access those levels. For example, with the ping command, we can set
it to level 7 by typing in “privilege exec level 7 ping”. And the password to get to level 7
can be set by “enable password level 7 password”. To access a level, from the prompt,
type “enable 7” and the password associated with that level once prompted. Ping can
then be executed from level 7 and up. Usernames with corresponding passwords can be
set to a specific level. In the global configuration mode, as part of the username-based
authentication system and after entering “username name password password” , type
“username name privilege level”. The user specified will automatically login at the
specified privilege level.

An important thing to remember when setting a command at a certain level, all subsets of
that command are also set to that level. That is, if you set “show ip route” to level 7, all
show commands and show ip commands are automatically set to level 7 unless the
commands are set individually at different levels.

For example:
The command in the following exampl e places all show ip commands, whi ch includes all show commands,
at privilege level 7:
privilege exec level 7 show ip rout e
This is the same as following command:
privilege exec level 7 show

The commands in the following exampl e place “ show ip route” at level 7 and the “ show” and “ show ip”
commands at level 1:
privilege exec level 7 show ip rout e
privilege exec level 1 show ip
privilege exec level 1 show

Privilege levels can also be set on lines. By going to the line configuration and typing
“ privilege level level”

a default privilege level is speci fi ed for that line.

hope your confusion is resolved ...

Sheeraz Ahmed
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
sheahmedCommented:
Att. MODERATORS
i dont know why theses characters (&#8217 etc) are here in the text ...
moderators should look into this problem ... and also ... font size of the site are larege and are very annoying .. Kindly revert to the previous site .. or allow us to switch between previous or the current template ... as many of us have sentimental association with the previous one ...
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.