Setting Privilege Levels With Local Usernames

Last week we looked at options for configuring privilege levels in Cisco IOS devices. I mentioned that there are three primary methods for doing this. The first method, which we focused on last week, was using the enable command. This article is going to look at a method that is slightly more functional in an environment with multiple administrators logging in to IOS devices. This method will expand on our understand of the local user database and will place users in the appropriate privilege level based on their assignment.

Using the local user database for authentication is easy. There is no need for “aaa new-model” or the complexity that brings along. Before we get into privilege levels, let’s first look at a router configured for local user authentication.

R1 Configuration

//create a local username
R1(config)#username cisco password cisco

//attach 'local' user db to vty lines
R1(config)#line vty 0 15
R1(config-line)#login local

//attach it to the console/aux (if desired)
R1(config-line)#line con 0
R1(config-line)#login local
R1(config)#line aux 0
R1(config-line)#login local

At this point, a user connecting to the device is prompted for a “username” as opposed to simply being asked for a password. Nothing else has really changed. The user will still be placed into privilege level 1 and will need to use the enable command to gain access to more destructive commands. To demonstrate this, we can telnet into the device.

Testing from TestPC

TestPC#telnet 192.168.1.1Trying 192.168.1.1 ... Open

User Access Verification

Username: cisco
Password:
R1>show priv
Current privilege level is 1
R1>exit

At this point, adding privilege levels to our users is quite simple. To demonstrate, let’s configure two additional user accounts to represent privilege level 7 and 15 respectively.

Adding Users with Privilege Levels

R1(config)#username cisco7 privilege 7 password 0 cisco
R1(config)#username cisco15 privilege 15 password 0 cisco

At this point our entire configuration, as relevant to this article, contains the following.

R1#show run | username|line|login

username cisco privilege 7 password 0 cisco
username cisco7 privilege 7 password 0 cisco
username cisco15 privilege 15 password 0 cisco

line vty 0 15
 login local
line con 0
 login local
line aux 0
 login local

In order to test the two new privilege levels, we can simply login to the device through telnet, console or aux.

Testing User Privilege Level

//testing user cisco7

TestPC#telnet 192.168.1.1
Trying 192.168.1.1 ... Open

User Access Verification

Username: cisco7
Password:
R1#show priv
Current privilege level is 7
R1#exit

[Connection to 192.168.1.1 closed by foreign host]

//testing user cisco15

TestPC#telnet 192.168.1.1
Trying 192.168.1.1 ... Open

User Access Verification

Username: cisco15
Password:
R1#show priv
Current privilege level is 15
R1#exit

[Connection to 192.168.1.1 closed by foreign host]
TestPC#

As can be seen in the test, the users are immediately placed into the appropriate privilege level. The user having access to privilege level 7, would be able to access commands that are at privilege level 7 or below. The user at privilege level 15 would have access to everything. If there is no need to change the privilege level after authenticating, the enable command is unnecessary.

It is worth noting that commands are only at levels 0, 1 and 15 by default. Therefore, cisco and cisco7 have the same access unless the command privilege levels have been changed. Next week we will bring command privilege level into the discussion and the real world applicability of privilege levels will become apparent.

No related content found.

About Paul Stewart, CCIE 26009 (Security)

Paul is a Network and Security Engineer, Trainer and Blogger who enjoys understanding how things really work. With over 15 years of experience in the technology industry, Paul has helped many organizations build, maintain and secure their networks and systems.
This entry was posted in How-To. Bookmark the permalink.

5 Responses to Setting Privilege Levels With Local Usernames

  1. Elvin Arias says:

    Just a word: Awesome!

    Thanks for the article.

    Elvin

  2. Kev Pearce says:

    Hi, Great article. Do you know if the ASA has the equivalent of ‘show priv’ ??? Cheers Kev/.

  3. Pingback: login local line con 0

  4. Alan says:

    Hi, Thank for this article.
    Do you know if it is possible to give the show running privilege (privilege exec all level 7 show running-config) but with hiding the snmp community?
    Thank you.

Comments are closed.