Cisco IOS allows authorization of commands without using an external TACACS+ server. Cisco routers and switches work with privilege levels, by default there are 16 privilege levels and even without thinking about it you are probably already familiar with 3 of them:
- Level 0: Only a few commands are available, the most used command is probably ‘enable’.
- Level 1: This is the default exec user level. You can use some of the show commands but you won’t be able to configure anything.
- Level 15: The highest privilege level, also known as “enable mode” or “privileged mode“.
Higher privilege levels will support all the commands of the lower privilege levels. For example, privilege level 8 will include all the commands of level 0 – 7.
Privilege level 15 will have all the commands of level 0 – 14 and so on.
Creating different privilege levels is a good idea if you work with different user groups. You probably only want your senior network engineers to have privilege level 15 and your junior network engineers a lower privilege level so they don’t have access to all commands.
If you want to assign commands to a certain privilege level, you have a couple of options:
- You can assign some privilege level 15 commands to level 1 so that all users that are allowed to log in to the router can use them.
- You can move some commands from level 1 to a higher level so that you can disallow some commands for level 1 users.
- You can create a new privilege level and assign some level 15 commands to it.
When you are going to assign commands to different privilege levels you need to understand that IOS has two modes:
- Exec Mode
- Configuration Mode
Exec mode will look like this:
Router#
And configuration mode looks like this:
Router(config)#
Each “mode” also has different “sub-modes” like the interface configuration:
Router(config-if)#
Commands also have a certain structure that you need to understand. Basically commands look like this:
command sub-command [arguments] [arguments-values] [options]
To give you an example, think about configuring an IP address:
Rack1SW1(config-if)#ip address 192.168.1.1 255.255.255.0
We can break it down like this:
- ip = command.
- address = sub-command.
- 192.168.1.1 255.255.255.0 = arguments.
- secondary = options (not shown in my example)
When I assign a command to a privilege level, I can select the entire “ip” command or only the “ip address” sub-command. If I give someone the entire “ip” command they can also configure things like “ip unreachables” or “ip arp” and so on.
Let’s take a look at a couple of examples of moving commands and creating new privilege levels shall we?
Configuration
First we’ll check what our privilege level is, you can do it like this:
Router>show privilege
Current privilege level is 1
Use the show privilege command to check your privilege level. By default once you are logged in you will be in level 1. Let’s go to enable mode now:
Router>enable
Router#show privilege
Current privilege level is 15
And as you can see enable has privilege level 15.
We’ll start with a simple example. I’m going to give privilege level 1 users the power to use the show running-configuration command. This is how we do it:
Router(config)#privilege exec level 1 show running-config
All level 1 users now are able to use the show running-config command. Not a very wise idea but it’ll work:
Router>show running-config
Building configuration...
Current configuration : 53 bytes
!
boot-start-marker
boot-end-marker
!
We can also take commands away from the level 1 users. Let’s say I don’t want them to use “show ip arp”. We’ll do it like this:
Router(config)#privilege exec level 15 show ip arp
Level 1 users will discover that they can’t use show ip arp anymore:
Router>show ip arp
^
% Invalid input detected at '^' marker.
Now you have seen how to add or remove commands to a certain privilege level. How about we create a user with a new privilege level that has access only to a couple commands? We’ll create a new user account that is allowed to do these things:
- Shutdown or no shutdown an interface.
- Use the debug ip routing command.
- Disable all debugging
- Use the show running-configuration command.
I will create a new username for this with a new privilege level, here’s how to do it:
Router(config)#username JUNIOR privilege 8 password CISCO
First we’ll create a new user account called JUNIOR. I’ll assign this user privilege level 8. Now we’ll add some commands to it:
Router(config)#privilege exec level 8 configure terminal
Router(config)#privilege exec level 8 debug ip routing
Router(config)#privilege exec level 8 undebug all
Router(config)#privilege exec level 8 show running-config
The commands above are for exec mode. I still have to add some commands for the configuration mode:
Router(config)#privilege configure level 8 interface
Router(config)#privilege interface level 8 shutdown
Router(config)#privilege interface level 8 no shutdown
The commands above will allow the user to go into the interface configuration and use the shutdown and no shutdown command.
Let’s test our new user account:
Router(config)#line con 0
Router(config-line)#login local
Don’t forget to enable local authentication or we won’t get a username/password prompt…
Router con0 is now available
Press RETURN to get started.
User Access Verification
Username: JUNIOR
Password:
After entering the credentials we can check the privilege level:
Router#show privilege
Current privilege level is 8
The level is looking good. Let’s try some debug commands:
Router#debug ?
all Enable all debugging
ip IP information
Router#debug ip ?
routing Routing table events
The only debug we can use is debug ip routing. What about the configuration commands?
Router#configure terminal
Router(config)#interface fastEthernet 0/1
Router(config-if)#?
Interface configuration commands:
default Set a command to its defaults
exit Exit from interface configuration mode
help Description of the interactive help system
no Negate a command or set its defaults
shutdown Shutdown the selected interface
These are the only commands available. Let’s shut the interface:
Router(config)#interface fastEthernet 0/1
Router(config-if)#shutdown
If this user tries the show running-configuration command it won’t see the entire configuration but only the commands that the privilege level is allowed to use:
Router#show running-config
Building configuration...
Current configuration : 930 bytes
!
boot-start-marker
boot-end-marker
!
!
interface Loopback0
!
interface FastEthernet0/1
shutdown
There’s more in the configuration but this user is only allowed to see the shutdown command.
That’s all I wanted to show for now, I hope this is helpful to you! If you have any questions just leave a comment…
No comments:
Post a Comment