| 10.2 | Basic Security | ||
| 10.2.7 | Controlling privilege levels |
| The two default levels of access are
user and privileged. The user level allows users to perform certain
commands but does not give them the ability to modify the
configuration or perform a debug. At the other end of the spectrum,
the privileged level allows users to issue all commands, including
configuration and debug commands.
The Cisco IOS command set provides users with levels of privilege access. This is accomplished by using the privilege level command. This allows network administrators to provide a more granular set of access rights to Cisco network devices. Sixteen different levels of privilege can be set, ranging from 0 to 15. Level 1 is the default user EXEC privilege. The highest level, 15, allows the user to have all rights to the device. Level 0 can be used to specify a more limited subset of commands for specific users or lines. For example, you can allow user "guest" to use only the show users and exit commands. Note: The five commands associated with privilege level 0 are disable, enable, exit, help, and logout. If you configure a centralized authorization server, such as an AAA server, for a privilege level greater than 0, these five commands will not be included. At other privilege levels you must specify the commands that are authorized for that privilege level. Use the privilege command to define the commands that can be entered at that privilege level. Router (config)#privilege mode level level command Where mode equals one of the
entries in Figure Use the enable secret level level
password command to set the password for the privilege level. The
following example shows a user named "student" logging in
with a privilege level of 3. The privilege level 3 has been assigned
a password of "san-jose." The user will inherit all the
commands that have been listed under the privilege mode level 3
command as it is listed in Figure
|