Following the previous FAC article, I received a question about privilege levels: what commands are available at the different privilege levels? In this article, we will continue from where we stopped and take a deeper look at privilege levels, the commands available at each level, and how to change the privilege level of commands.
We used a simple network diagram from the previous FAC article as shown below:
The configuration we have on our test router is as follows:
<CODE> hostname TestRTR ! enable secret level 3 5 $1$a4NI$EtF.B7UzrA7WOoKxFLDmb/ enable secret 5 $1$tZdd$RedGVdYEyUK2j.c60wz3k0 ! no aaa new-model ! interface FastEthernet0/0 ip address 192.168.56.10 255.255.255.0 ! line con 0 exec-timeout 0 0 privilege level 15 logging synchronous line vty 0 4 password cisco login ! </CODE>
From the above configuration, we have two enable secrets: the first one is for privilege level 3 and the second one is for privilege level 15. So if we open a telnet connection, for example and successfully login, we need to enter the enable secret. For example:
You will notice that successful authentication resulting from typing ‘enable’ without any option places me in privilege level 15. If I had specified a number (privilege level) after the enable command, it will have required the secret for that privilege level. For example:
Also notice that if you try to access a level that has no enable password/secret set, you won’t be allowed.
Before we continue to see what commands are available at different privilege levels, let us reconfigure this device. As an administrator, you probably would want to associate usernames with privilege levels; it allows for better accounting. I’d create a couple of users: cisco1, cisco3, cisco9 and cisco15. The numbers reflect their privilege levels.
<CODE> username cisco1 privilege 1 secret cisco1 username cisco3 privilege 3 secret cisco3 username cisco9 privilege 9 secret cisco9 username cisco15 privilege 15 secret cisco15 line vty 0 4 login local </CODE>
With our above configuration, these users should automatically be placed in their configured privilege levels when they open a remote connection.
Privilege Level 1
Let’s start with privilege level 1. What commands are available?
There are actually a couple of commands and the above is just a sample list. The familiar ones include disconnect, enable, ping, and telnet.
Privilege Level 3
Let’s check what commands are available on privilege level 3.
The above is also a snapshot; there are more commands. I did a side by side comparison of the commands in privilege level 1 and those in privilege level 3 and they are the same.
Privilege Level 9
This is the last one we will check since we already know what is available at privilege level 15.
Again, the same set of commands. It means by default, Cisco only implemented privilege levels 1 and 15 – everything in between has the same set of commands that level 1 has (except with the # sign). But hold up. We have been checking top level commands; are their sub-options also the same? The answer is no. For example, notice the difference between privilege level 1 and privilege level 9 below:
I’m not certain Cisco documented these subtle changes anywhere available for the public and in fact, it will be too cumbersome to try to do so. The variables will just be too much. What then is the way out?
Changing the privilege level of commands
Luckily for us, the Cisco IOS provides a way for us to move commands between levels. We will quickly look at how this is done. Let us create a sample policy:
Privilege level 1 users should be able to shutdown and/or bring up interfaces
Privilege level 3 users should be able to configure/change IP addresses on interfaces
Privilege level 9 users should be able to configure and apply access-lists on interfaces
We use the global configuration mode “privilege” command to achieve this. The syntax of the command can be simplified as:
privilege <mode> level <privilege level> <command>
The mode specifies what mode the command operates at e.g. EXEC, global configuration, interface configuration and so on. There are other options that can be specified but the syntax above simplifies it.
Command alteration can be quite tricky because you need to think through all the steps required to access a command. For example, in our first policy statement, you cannot get to the interface configuration mode without first entering the global configuration mode and you cannot get to the global configuration mode without first being in the exec mode. Therefore, the configuration for our first policy statement will be:
<CODE> privilege exec level 1 configure terminal privilege configure level 1 interface privilege interface level 1 no shutdown </CODE>
Let’s test it immediately. I will login with username cisco1.
For our second policy statement, we only need to add the “ip address” command under the interface configuration mode for privilege level 3. The reason we don’t need to add the previous commands is because privilege levels in Cisco IOS are like a hierarchy- the commands available at level 1 will also be available at level 2 while the commands at level 1 and 2 will be available at level 3, and so on.
<CODE>privilege interface level 3 ip address</CODE>
We will test this also by logging in with the cisco3 user.
A look at the running configuration of our device reveals that some commands have been automatically generated for us. For example, we can’t “configure terminal” without “configure” i.e. “terminal” is a sub-option.
I believe you are capable of handling the last policy statement.
This brings us to the end of this article where we have looked deeply at privilege levels on the Cisco IOS. We discovered that although the top-level commands are the same between privilege level 1 and 14, the sub-options of those commands may differ between privilege levels. We also moved commands between privilege levels using the privilege command. Another way of enforcing privilege levels is by using parser views which we have not considered in this article.
I hope you have found this article insightful and that it has cleared any confusion you had about privilege levels. I look forward to answering another frequently asked challenge in the next article. Remember to drop your comments for those topics you will like answered.
CCNA Security – Solutions to Frequently Asked Challenges: Enable Secret and Privilege Levels: http://resources.intenseschool.com/ccna-security-solutions-to-facs-enable-secret-and-privilege-levels/
CCNA Security Certification Series #6: AAA on Cisco Devices: http://resources.intenseschool.com/ccna-security-certification-series-6-aaa-on-cisco-devices/