?
Solved

Cisco Privilege Levels

Posted on 2014-09-01
8
Medium Priority
?
1,564 Views
Last Modified: 2014-09-17
Per Cisco , there are 3 privileges:
•privilege level 0 — Includes the disable, enable, exit, help, and logout commands.
•privilege level 1 — Normal level on Telnet; includes all user-level commands at the router> prompt.
•privilege level 15 — Includes all enable-level commands at the router# prompt

However it is not clear what each level can do on Cisco device. I believe level 15 can do anything on the device. Correct me if I am wrong.

but Level 0 and Level 1, it is not clear what they can do ...

Thank you
0
Comment
Question by:jskfan
8 Comments
 
LVL 11

Assisted Solution

by:Miftaul
Miftaul earned 500 total points
ID: 40296417
Level 1 is when we logon to a device and are in > prompt.
Level 15 is when enter EN, and at # prompt.
Level 2-14 can be customized.

Level 0 is least privilege one and hardly in use.

Here is the related document - https://learningnetwork.cisco.com/docs/DOC-15878
0
 

Author Comment

by:jskfan
ID: 40296911
I saw that link before I posted the question. Itt that  is poorly written.
If any Expert that understands well Privileges, they can just summarize it here.
For Instance:
Level 0: can do this and that but cannot do this and that ...etc...
etc...
...
....
0
 

Author Comment

by:jskfan
ID: 40296944
In Microsoft , if you give a user Account Operator or Backup Operator, or Domain Admins, each can do separate tasks, and sometimes there is an overlap....
in Cisco you can give specific commands to a specific Level.
For Instance if you hire a Junior Network administrator, and you want him to view configuration to Ping the network, but cannot make any changes or reload the Device, what Level would you give them.??

If you want to give a user Level 15 on Switches but not on routers, would you go to each Router and Switch and assign privileges, or there is a central console where you can do that ?

Thanks
0
Big Data Means Big Business

In data-dependent industries like IT, finance, and healthcare, there’s a growing demand for qualified analysts to fill leadership roles. WGU’s MS in Data Analytics has IT certifications from Oracle and SAS built into its curriculum at a flat fee that could save you money.

 
LVL 18

Assisted Solution

by:Akinsd
Akinsd earned 1000 total points
ID: 40297253
Unfortunately, there is no level above 0 that prohibits ping that I am aware of. It may be possible to configure that but I have never searched for it. The results of show commands are even more harmful than ability to ping anyways and that's why I paid no attention to it. In my opinion, ping should be the least any tech should have on any device if nothing else is granted.

I agree with you in a way because I tried in the past to find the same information to no avail. The answer is actually embedded in the article. New commands get introduced very frequently and some taken out. Some commands are only available to a version of IOS even on the same platform while some commands are only available on certain platforms. All of these factors make a comprehensive list a cumbersome task. Cisco therefore came up with None (0), Least (1) and Most (15) to simplify the matter. Most administrators may never even use 10% of all commands on a device anyways.

http://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/scfpass.html#wp1000907

By default, the Cisco IOS software command-line interface (CLI) has two levels of access to commands: user EXEC mode (level 1) and privileged EXEC mode (level 15). However, you can configure additional levels of access to commands, called privilege levels, to meet the needs of your users while protecting the system from unauthorized access. Up to 16 privilege levels can be configured, from level 0, which is the most restricted level, to level 15, which is the least restricted level.

You as an administrator has to configure and assign users the other levels as desired. Let me digress a little. The 1st line of an ACL if unspecified is 10, then 20, then 30.
Cisco gives you the opportunity to go back and insert lines if need be.
The same concept here,
0 is no console access, 1 is least access and 15 is the highest access.
Notice "no console access". Your remote access VPN users need to be able to connect but should not be given access to view configurations or edit configurations. By default, they are assigned privilidge level 0 unless you specify otherwise.

I should add also that the enable command from user EXEC mode elvates the Default Cisco user to Privilege Mode Level 15.

You asked also how to make the login info avaiable accross devices. You can create templates or create a base configuration to be applied to all devices. You can also tie user logins to LDAP but you will still have to manually assign privileges to users.


I hope this helps
0
 

Author Comment

by:jskfan
ID: 40297707
So if I need to give someone permissions just to view the configuration , to PING , then Level 1 will be the right choice ? or is it too much ?
I am assuming Level 1, they cannot do any modification or reload the device..
0
 
LVL 28

Assisted Solution

by:mikebernhardt
mikebernhardt earned 500 total points
ID: 40299697
You can't give someone permission to just view the configuration unless you create a custom privilege level for that, because anything to do with configs is at 15 by default. But other than that level 1 is the correct place for most people.

The risk in giving everyone the ability to view the configuration is that it contains passwords and SNMP strings which can be used to go further than you intended. So I don't recommend it.
0
 
LVL 18

Accepted Solution

by:
Akinsd earned 1000 total points
ID: 40300445
So if I need to give someone permissions just to view the configuration , to PING , then Level 1 will be the right choice ? or is it too much ?
I am assuming Level 1, they cannot do any modification or reload the device..
Correct!
Level 1 allows ping but disallows reload.
That should suffice for you if that's all you want to grant access to.

The following prompt is an example of Level 1 access (USER EXEC MODE)
R6>

In this case, you can give users the console login but not the enable password. Or create local username and password with privilege 1 and then enable login local on VTY and Console ports.
0
 

Author Closing Comment

by:jskfan
ID: 40328908
I will look at this later..
Thank you
0

Featured Post

Identify and Prevent Potential Cyber-threats

Become the white hat who helps safeguard our interconnected world. Transform your career future by earning your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

On Feb. 28, Amazon’s Simple Storage Service (S3) went down after an employee issued the wrong command during a debugging exercise. Among those affected were big names like Netflix, Spotify and Expedia.
Let’s face it: one of the reasons your organization chose a SaaS solution (whether Microsoft Dynamics 365, Netsuite or SAP) is that it is subscription-based. The upkeep is done. Or so you think.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

569 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question