Friday, September 26, 2008

Cisco IOS privilege levels

The Cisco IOS supports 16 levels of privilege. By default user exec mode has privilege level 1 and privilege exec has privilege level 15. Upon initial access with a default configuration you are in exec mode with privilege level 1. This allows access to the basic commands show as ‘show ip route’ or ‘show ip interface’.

To access the complete command set users enter privilege exec mode by typing ‘enable’ and by default this moves the user to privilege level 15. As such this represents an ‘all or nothing’ approach to providing access within the IOS.

Within the IOS command set it is possible to configure further privilege levels that furnish access to pre-defined commands only. Thus providing a more graded approach to access.

First to view the default privilege level of commands this can be done by making use of the show parser dump command. For example

R3#show parser dump exec inc show ip interface brief
1 show ip interface brief

R3#show parser dump exec inc debug ip packet detail
15 debug ip packet detail
15 no debug ip packet detail
15 undebug ip packet detail

In the above show ip interface brief can be seen as available at privilege level 1, whereas debug ip packet detail is available at privilege level 15.

As an example I make the debug ip packet detail command available at level 7. There are 2 steps involved: create the enable password for level 7 and then redefine the privilege level of the required command.

R3(config)#enable password level 7 RICH
R3(config)#privilege exec level 7 debug ip packet detail
R3(config)#privilege exec level 7 undebug ip packet detail

I then validate my solution….

R3>show privilege
Current privilege level is 1

Indicates current privilege level as 1

R3>debug ip packet detail
% Invalid input detected at '^' marker.

Indicates command is not available at privilege level 1

R3>enable 7
R3#debug ip packet detail
IP packet debugging is on (detailed)

I log into privilege level 7 and I am now able to execute said command!

It is possible to assign users to specific privilege levels by default at login time. This can be achieved in either at the user level (see below)

R3(config)#username rich privilege 7 password rich
R3(config)#line vty 0 4
R3(config-line)#privilege level 7

On the cisco doc cd the info is available under IOS Security Guide Configuration

No comments: