Changing Privilege Levels For Cisco IOS Commands

Over the past couple of weeks, the concept of privilege level has been addressed from the perspective of the user. This article will make use of the privilege by moving IOS commands from their default levels of 0, 1 and 15. That ability is what actually makes the ability to assign users varying privilege levels useful.

Challenge–

You are the network administrator for an organization with several routers. Your organization is large enough that three users have the potential need to access the network equipment. However, you don’t want to invest in the cost of an ACS server. You plan to configure each device to allow users to log with unique credentials. The three users are John, Jane, and Mike. They must have access to the following commands:

Mike–Access to All Commands
Jane–Interface Configuration, View System Clock
John–View System Clock

Jane and John should also be able to access anything that is typically accessible for non-privileged users. However, Mike should be able to view the route table.

The first clue here is that the local user database will be used. This is true because it was stated that an ACS server would not be used, but that users would enter unique credentials. The configuration below is very similar to last Thursday’s PacketU article.

Configuring Local Usernames With Privilege Levels

//create a local usernames
R1(config)#username John password cisco
R1(config)#username Jane privilege 7 password 0 cisco
R1(config)#username Mike privilege 15 password 0 cisco

//attach the 'local' user db to vty lines
R1(config)#line vty 0 15
R1(config-line)#login local

//attach the 'local' user db to the console/aux (if desired)
R1(config-line)#line con 0
R1(config-line)#login local
R1(config)#line aux 0
R1(config-line)#login local

With the usernames created, the next step is to change the privilege levels of the applicable commands. The challenge stated that Jane should be able to modify interface configurations and that John should have access to view the system clock. The challenge also stated that ONLY Mike should have access to view the routing table.

The first step in this process is to assess what rights John has by default. During the final testing phase, Mike’s privilege level of 15 will be confirmed. Jane, at privilege level 7, has the same command access as John until the privilege levels of commands are changed. The reason for this is that commands only exist at 0, 1 and 15 by default. Assuming Mike has privilege level 15, he will be able to access anything. The other users will be able to access any command that exists at the same or lower privilege level. Since we haven’t moved any commands to a different privilege level, Jane’s initial access will be similar to John’s.

John’s Initial Access

TestPC>telnet 192.168.1.1
Trying 192.168.1.1 ... Open

User Access Verification

Username: John
Password:

//check the privilege level
R1>show priv
Current privilege level is 1
R1>

//determine if the route table is accessible
R1>show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

C    192.168.1.0/24 is directly connected, FastEthernet0/0

//test access to other show commands
R1>show int s0/0
Serial0/0 is administratively down, line protocol is down
  Hardware is PowerQUICC Serial
  MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec,
     reliability 247/255, txload 1/255, rxload 1/255
  Encapsulation HDLC, loopback not set
  Keepalive set (10 sec)
  Last input 01:33:15, output 01:33:15, output hang never
  Last clearing of "show interface" counters 01:33:13
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: weighted fair
  Output queue: 0/1000/64/0 (size/max total/threshold/drops)
     Conversations  0/1/256 (active/max active/max total)
     Reserved Conversations 0/0 (allocated/max allocated)
     Available Bandwidth 1158 kilobits/sec
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     0 packets input, 0 bytes, 0 no buffer
     Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
     0 packets output, 0 bytes, 0 underruns
     0 output errors, 0 collisions, 1 interface resets
     0 output buffer failures, 0 output buffers swapped out
     0 carrier transitions
     DCD=up  DSR=up  DTR=down  RTS=down  CTS=up

//determine if access to configuration mode is granted
R1>conf t
      ^
% Invalid input detected at '^' marker.

R1>c?
call  clear  connect  crypto

//test access to show clock
R1>show clock
07:48:43.555 UTC Sat Aug 11 2012
R1>

From this, we can see that John (as should Jane) has access to see the routing table and to view the system clock. John does not have access to go into “configuration” mode. This is fine for John, but Jane will need that to configure interfaces. Therefore our challenge is as follows:

  • Remove John and Jane’s access to view the route table
  • Allow Jane to configure interfaces
  • Maintain John’s access to the “show clock” command

The next step we will take in this process is to move the commands to the appropriate privilege level in order to allow Jane’s access to configure the interfaces.

 

//enabling configure mode for priv 7 users
R1(config)#privilege exec level 7 configure terminal
R1(config)#

Before moving forward, let’s just see how far Jane can get in her interface management tasks.

TestPC>telnet 192.168.1.1
Trying 192.168.1.1 ... Open

User Access Verification

Username: Jane
Password:

R1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#
R1(config)#interface s0/0
           ^
% Invalid input detected at '^' marker.

R1(config)#

As seen above, Jane can now access global configuration mode. However, she cannot enter the “interface” configuration mode. That needs to be moved to privilege level 7 as well.

//configuring for interface config mode for priv 7
R1(config)#privilege configure level 7 interface

Let’s test Jane’s access again.

TestPC>telnet 192.168.1.1
Trying 192.168.1.1 ... Open

User Access Verification

Username: Jane
Password:

R1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#
R1(config)#interface s0/0
R1(config-if)#ip address 1.1.1.1 255.255.255.0
              ^
% Invalid input detected at '^' marker.

R1(config-if)#?
Interface configuration commands:
  default  Set a command to its defaults
  exit     Exit from interface configuration mode
  help     Description of the interactive help system
  no       Negate a command or set its defaults

Now Jane has access to move into interface configuration mode. However interface sub commands, including “shutdown” and “ip” are not available. To rectify this, we need to use “ALL” in the privilege command. This instructs IOS to move all sub commands to the same privilege level.

//change to "ALL" interface sub commands to priv 7

R1(config)#privilege configure all level 7 interface

Now let’s test one more time.

TestPC>telnet 192.168.1.1
Trying 192.168.1.1 ... Open

User Access Verification

Username: Jane
Password:

R1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#
R1(config)#interface s0/0
R1(config-if)#?
Interface configuration commands:
  access-expression           Build a bridge boolean access expression
  appletalk                   Appletalk interface subcommands
  arp                         Set arp type (arpa, probe, snap) or timeout
  asp                         ASP interface subcommands
  auto                        Configure Automation
  autodetect                  Autodetect Encapsulations on Serial interface
  backup                      Modify backup parameters
  bandwidth                   Set bandwidth informational parameter
  bgp-policy                  Apply policy propagated by bgp community string
  bridge-group                Transparent bridging interface parameters
  bsc                         BSC interface subcommands
  bstun                       BSTUN interface subcommands
  carrier-delay               Specify delay for interface transitions
  cdp                         CDP interface subcommands
  clns                        CLNS interface subcommands
  clock                       Configure serial interface clock
  compress                    Set serial interface for compression
  crypto                      Encryption/Decryption commands
  custom-queue-list           Assign a custom queue list to an interface
  dampening                   Enable event dampening
  dce-terminal-timing-enable  Enable DCE terminal timing

R1(config-if)#shut
R1(config-if)#ip address 1.1.1.1 255.255.255.0
R1(config-if)#no shut
R1(config-if)#

As can seen from the output above, Jane now has the access required to meet the second requirement in the bulleted list. Next let’s work on removing Jane and John’s access to the “show ip route” command. So we simply need to move that command up to privilege level 15.

R1(config)#privilege exec level 15 show ip route
R1(config)#

Now let’s see if Jane is properly restricted from viewing the IP routing table.

TestPC>telnet 192.168.1.1
Trying 192.168.1.1 ... Open

User Access Verification

Username: Jane
Password:

R1#show ip route
    ^
% Invalid input detected at '^' marker.

Since this seems to work, let’s just confirm that John still has access to view the system clock.

TestPC>telnet 192.168.1.1
Trying 192.168.1.1 ... Open

User Access Verification

Username: John
Password:
R1>show clock
    ^
% Unrecognized command

R1>show ?
% Unrecognized command

As can be seen above, John can no longer access any “show” commands. Let’s take a quick look at the configuration and see what is going on.

R1(config)#do show run | inc priv
privilege configure all level 7 interface
privilege exec level 7 configure terminal
privilege exec level 7 configure
privilege exec level 15 show ip route
privilege exec level 15 show ip
privilege exec level 15 show

It appears that in its infinite wisdom, or the wisdom of someone far more intelligent than me, that the IOS cli brings the base command to the privilege level with the sub commands. In other words, “privilege exec level 15 show ip route” adds the following commands to the configuration.

privilege exec level 15 show
privilege exec level 15 show ip
privilege exec level 15 show ip route

To resolve this, “show clock” needs to be returned to level 1.

R1(config)#privilege exec level 1 show
R1(config)#privilege exec level 1 show clock

At this point, we should be ready for final testing.

TestPC>telnet 192.168.1.1
Trying 192.168.1.1 ... Open

User Access Verification

Username: John
Password:
R1>show clock
08:18:43.555 UTC Sat Aug 11 2012
R1>
R1>show ip route
        ^
% Invalid input detected at '^' marker.

R1>conf t
      ^
% Invalid input detected at '^' marker.

John’s access and restrictions are as required. Next we’ll confirm Jane’s access.

TestPC>telnet 192.168.1.1
Trying 192.168.1.1 ... Open

User Access Verification

Username: Jane
Password:

R1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#
R1(config)#interface s0/0
R1(config-if)#shut
R1(config-if)#ip address 2.2.2.2 255.255.255.0
R1(config-if)#no shut
R1(config-if)#exit
R1(config)#exit
R1>show ip route
        ^
% Invalid input detected at '^' marker.

R1#show clock
08:12:43.555 UTC Sat Aug 11 2012
R1#

Finally, let’s confirm Mike’s access level and his access to view the route table.

TestPC>telnet 192.168.1.1
Trying 192.168.1.1 ... Open

User Access Verification

Username: Mike
Password:

R1#show priv
Current privilege level is 15
R1#
R1#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

C    192.168.1.0/24 is directly connected, FastEthernet0/0

This article brings several concepts together. In the previous few weeks, articles have addressed the concept of privilege from the perspective of the user. However until the commands were moved to different privilege levels, as they were in this article, the benefits were negligible. By setting users access to certain privilege levels and modifying the privilege level required to access key commands, an administrator can grant granular access to the commands necessary based on job function.

About Paul Stewart, CCIE 26009 (Security)

Paul is a Network and Security Engineer, Trainer and Blogger who enjoys understanding how things really work. With over 15 years of experience in the technology industry, Paul has helped many organizations build, maintain and secure their networks and systems.
This entry was posted in How-To. Bookmark the permalink.

4 Responses to Changing Privilege Levels For Cisco IOS Commands

  1. Pingback: security habits… | ccie or die

  2. Darko says:

    Is this can be done with parser view’s?

  3. luritie says:

    Thanks!!!

  4. Pingback: Cisco Logging Levels | toptencreditcardcompanies.com

Comments are closed.