Defining Per User Privileges
Problem
You want to set different privilege levels to different users.
Solution
To assign a particular privilege level to user, use the following set of commands:
Router1#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router1(config)#aaa new-model Router1(config)#aaa authentication login default local Router1(config)#aaa authorization exec default local Router1(config)#username slowell privilege 10 password maceng#1 Router1(config)#privilege exec level 10 show ip route Router1(config)#privilege exec level 1 show ip Router1(config)#privilege exec level 1 show Router1(config)#end Router1#
You can also create several global privilege levels, which any user can access with the appropriate password:
Router1#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router1(config)#enable secret level 10 lvl10passwd Router1(config)#privilege exec level 10 show ip route Router1(config)#privilege exec level 1 show ip Router1(config)#privilege exec level 1 show Router1(config)#end Router1#
Discussion
Sometimes having two privilege level groups doesn't give fine enough granularity. For example, you might have three levels of administrators. The user-level staff members are not allowed to see the router's routing table. The mid-level staff can see the routing table, but they aren't allowed to make configuration changes. Only the highest-level engineers have access to everything.
You could accomplish this by using either of the two methods shown in the recipe example. For example, you could create user accounts for the staff members, assigning the appropriate privilege level to each user or group of users. Or you could create user accounts for all of the users, and then have a series of different global enable levels. Either approach would work.
Our first example uses the username command, discussed in Recipe 3.1, to assign a particular privilege level to a username. We have assigned user slowell the privilege level 10 and increased the privilege level of the command show ip route to 10. Without the aaa authorization command, you cannot change the default privilege level. Essentially, we have created a new privilege level, 10, and assigned it a single command. However, it also inherits the commands from all of the lower the privilege levels:
Freebsd% telnet Router1 Trying 172.22.1.4... Connected to Router1. Escape character is '^]'. User Access Verification Username: slowell Password: Router1#show privilege Current privilege level is 10 Router1#show ip route Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default, U - per-user static route, o - ODR P - periodic downloaded static route Gateway of last resort is 172.22.1.3 to network 0.0.0.0 172.16.0.0/24 is subnetted, 1 subnets C 172.22.1.0 is directly connected, FastEthernet1/0 O*E1 0.0.0.0/0 [110/3] via 172.22.1.3, 00:15:56, FastEthernet1/0 Router1#disable 1 Router1>show ip route ^ % Invalid input detected at '^' marker.
Notice that when this user logs in, he automatically gets the increased privilege level without having to issue an enable command. He then executes the show ip route command, which we have assigned to level 10, so it works normally. If he then reduces his level to 1 and tries the show ip route command again, it doesn't work.
You could assign a username to privilege level 15 (enable level), but we do not recommend doing this. The extra layer of password protection and the strong encryption that the enable secret commands uses outweighs the convenience of assigning a user privilege level 15.
The second example defines a new privilege level using the enable secret command. You can also use the enable password command to define per level usernames, but the enable secret command gives much better encryption, as we showed in Recipe 3.5.
The second method has two distinct advantages over the first example. First, the enable secret command uses strong MD5 encryption to store its passwords in the configuration. Second, it ensures that the new privilege level is available to all user-level staff, and not just the single username we assigned earlier.
You can then use the command enable 10, which has its own password, to reach this new level:
Router1>enable 10 Password: Router1#show ip route Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default, U - per-user static route, o - ODR P - periodic downloaded static route Gateway of last resort is 172.22.1.3 to network 0.0.0.0 C 172.22.1.0 is directly connected, FastEthernet1/0 O*E1 0.0.0.0/0 [110/3] via 172.22.1.3, 1w2d, FastEthernet1/0 Router1#disable 1 Router1>show ip route ^ % Invalid input detected at '^' marker. Router1>
To access the new privilege level, the user used the enable command with the optional privilege-level keyword, 10. The router prompted her for the level 10 password. Then she could use the show ip route command. Then she reduced her privilege level back to default user level (privilege level 1), where the show ip route command no longer works.
See Also
Recipe 3.1; Recipe 3.5; Recipe 3.21; Recipe 3.23