Using the “enable” Command To Set CLI Privilege Level

Last week I introduced the topic of privilege levels in Cisco IOS. I covered the fact that a user at privilege level x had access to any command that was less than or equal to x. In an effort to keep this concept digestible, I only introduced the concepts. This week, we will look at one of three ways to assign a privilege level in IOS. Today’s method utilizes the “enable” command and, in my opinion, is the simplest method in concept. However it does not scale to enterprise environments.

To utilize the “enable” command for different privilege levels, there is a need to create multiple “enable” passwords. We would need to create a password for each level of authorization that is greater than 1. Remember privilege level 1 is user exec mode and is what mode a user is in prior to typing “enable”. So to create multiple privilege levels using the “enable” configuration command, we just need to make a slight modification of the “enable password” or “enable secret” command.

//password "ena7" for privilege level 7
R1(config)#enable secret level 7 ena7

//password "ena15" for privilege level 15
R1(config)#enable secret level 15 ena15

//the default version of the command 
//could have been used for level 15
R1(config)#enable secret ena15

In order to use these different privilege levels, we need to slightly alter how we use the enable user-exec mode command. Normally to enter privilege-exec mode, we simply type the word “enable”. However, if there is a need to specify the level, the number indicating the level should follow the command.

For Example:

R1>enable 7
Password:
R1#

For the purpose of verifying the privilege level of the current user’s context, Cisco provides the “show privilege” command. Using a simple configuration with telnet enabled, we can see the different privilege levels we have access to based on the configuration provided above.

//privilege level 1
TestPC#telnet 192.168.1.1
Trying 192.168.1.1 ... Open

User Access Verification

Password:
R1>show priv
Current privilege level is 1
R1>enable
Password:<ena15>
R1#show privilege
Current privilege level is 15
R1#
R1#exit

[Connection to 192.168.1.1 closed by foreign host]

//privilege level 7
TestPC#telnet 192.168.1.1
Trying 192.168.1.1 ... Open

User Access Verification

Password:
R1>enable 7
Password:<ena7>
R1#show privilege
Current privilege level is 7
R1#exit

[Connection to 192.168.1.1 closed by foreign host]

//privilege level 15
TestPC#telnet 192.168.1.1
Trying 192.168.1.1 ... Open

User Access Verification

Password:
//note, the "15" is unnecessary because it is the default for the command
R1>enable 15
Password:<ena15>
R1#show privilege
Current privilege level is 15
R1#
R1#exit

[Connection to 192.168.1.1 closed by foreign host]

At this point the privilege level still seems convoluted and pointless. Next week, we will go over another way to set the privilege level that might make sense in a small business environment. This will all seem more relevant when we start adjust the privilege levels of commands.

About Paul Stewart, CCIE 26009 (Security)

Paul is a Network and Security Engineer, Trainer and Blogger who enjoys understanding how things really work. With over 15 years of experience in the technology industry, Paul has helped many organizations build, maintain and secure their networks and systems.
This entry was posted in How-To. Bookmark the permalink.

2 Responses to Using the “enable” Command To Set CLI Privilege Level

  1. Pingback: Setting Privilege Levels With Local Usernames | PacketU

  2. DoofusGoofus says:

    Dear Paul,

    Will the following CLI command lock me out of the switch?

    Router(config) Privilege exec level 15 enable

    I found that after entering this command, I am not able to get into the privilege executable prompt – Router#

    I am always stuck at the user privilege prompt – Router>

    And the “enable” command mysteriously disappears when I type the “?” Command.

    Please help!

Comments are closed.