Last week I introduced the topic of privilege levels in Cisco IOS. I covered the fact that a user at privilege level x had access to any command that was less than or equal to x. In an effort to keep this concept digestible, I only introduced the concepts. This week, we will look at one of three ways to assign a privilege level in IOS. Today’s method utilizes the “enable” command and, in my opinion, is the simplest method in concept. However it does not scale to enterprise environments.
To utilize the “enable” command for different privilege levels, there is a need to create multiple “enable” passwords. We would need to create a password for each level of authorization that is greater than 1. Remember privilege level 1 is user exec mode and is what mode a user is in prior to typing “enable”. So to create multiple privilege levels using the “enable” configuration command, we just need to make a slight modification of the “enable password” or “enable secret” command.
//password "ena7" for privilege level 7 R1(config)#enable secret level 7 ena7 //password "ena15" for privilege level 15 R1(config)#enable secret level 15 ena15 //the default version of the command //could have been used for level 15 R1(config)#enable secret ena15
In order to use these different privilege levels, we need to slightly alter how we use the enable user-exec mode command. Normally to enter privilege-exec mode, we simply type the word “enable”. However, if there is a need to specify the level, the number indicating the level should follow the command.
R1>enable 7 Password: R1#
For the purpose of verifying the privilege level of the current user’s context, Cisco provides the “show privilege” command. Using a simple configuration with telnet enabled, we can see the different privilege levels we have access to based on the configuration provided above.
//privilege level 1 TestPC#telnet 192.168.1.1 Trying 192.168.1.1 ... Open User Access Verification Password: R1>show priv Current privilege level is 1 R1>enable Password:<ena15> R1#show privilege Current privilege level is 15 R1# R1#exit [Connection to 192.168.1.1 closed by foreign host] //privilege level 7 TestPC#telnet 192.168.1.1 Trying 192.168.1.1 ... Open User Access Verification Password: R1>enable 7 Password:<ena7> R1#show privilege Current privilege level is 7 R1#exit [Connection to 192.168.1.1 closed by foreign host] //privilege level 15 TestPC#telnet 192.168.1.1 Trying 192.168.1.1 ... Open User Access Verification Password: //note, the "15" is unnecessary because it is the default for the command R1>enable 15 Password:<ena15> R1#show privilege Current privilege level is 15 R1# R1#exit [Connection to 192.168.1.1 closed by foreign host]
At this point the privilege level still seems convoluted and pointless. Next week, we will go over another way to set the privilege level that might make sense in a small business environment. This will all seem more relevant when we start adjust the privilege levels of commands.