Last week we looked at options for configuring privilege levels in Cisco IOS devices. I mentioned that there are three primary methods for doing this. The first method, which we focused on last week, was using the enable command. This article is going to look at a method that is slightly more functional in an environment with multiple administrators logging in to IOS devices. This method will expand on our understand of the local user database and will place users in the appropriate privilege level based on their assignment.
Using the local user database for authentication is easy. There is no need for “aaa new-model” or the complexity that brings along. Before we get into privilege levels, let’s first look at a router configured for local user authentication.
//create a local username R1(config)#username cisco password cisco //attach 'local' user db to vty lines R1(config)#line vty 0 15 R1(config-line)#login local //attach it to the console/aux (if desired) R1(config-line)#line con 0 R1(config-line)#login local R1(config)#line aux 0 R1(config-line)#login local
At this point, a user connecting to the device is prompted for a “username” as opposed to simply being asked for a password. Nothing else has really changed. The user will still be placed into privilege level 1 and will need to use the enable command to gain access to more destructive commands. To demonstrate this, we can telnet into the device.
Testing from TestPC
TestPC#telnet 192.168.1.1Trying 192.168.1.1 ... Open User Access Verification Username: cisco Password: R1>show priv Current privilege level is 1 R1>exit
At this point, adding privilege levels to our users is quite simple. To demonstrate, let’s configure two additional user accounts to represent privilege level 7 and 15 respectively.
Adding Users with Privilege Levels
R1(config)#username cisco7 privilege 7 password 0 cisco R1(config)#username cisco15 privilege 15 password 0 cisco
At this point our entire configuration, as relevant to this article, contains the following.
R1#show run | username|line|login username cisco privilege 7 password 0 cisco username cisco7 privilege 7 password 0 cisco username cisco15 privilege 15 password 0 cisco line vty 0 15 login local line con 0 login local line aux 0 login local
In order to test the two new privilege levels, we can simply login to the device through telnet, console or aux.
Testing User Privilege Level
//testing user cisco7 TestPC#telnet 192.168.1.1 Trying 192.168.1.1 ... Open User Access Verification Username: cisco7 Password: R1#show priv Current privilege level is 7 R1#exit [Connection to 192.168.1.1 closed by foreign host] //testing user cisco15 TestPC#telnet 192.168.1.1 Trying 192.168.1.1 ... Open User Access Verification Username: cisco15 Password: R1#show priv Current privilege level is 15 R1#exit [Connection to 192.168.1.1 closed by foreign host] TestPC#
As can be seen in the test, the users are immediately placed into the appropriate privilege level. The user having access to privilege level 7, would be able to access commands that are at privilege level 7 or below. The user at privilege level 15 would have access to everything. If there is no need to change the privilege level after authenticating, the enable command is unnecessary.
It is worth noting that commands are only at levels 0, 1 and 15 by default. Therefore, cisco and cisco7 have the same access unless the command privilege levels have been changed. Next week we will bring command privilege level into the discussion and the real world applicability of privilege levels will become apparent.