Skip to content

Cisco User Privileges and Views

November 26, 2011

Prerequisites: CCNA

Most organizations have multiple administrators who login to a device for management. It could be anyone from a senior administrator who configures BGP to a front-line technical support person that pings from a router to verify connectivity. Giving full access to the technical support person can be a dangerous proposition. To allow some security, Cisco allows for privilege levels assigned to users or user groups. For even more control, views give an organization the ability to specify exactly what commands are allowed per user.

Privilege Levels

Cisco devices allow for 16 privilege levels, 0-15 with 15 being the highest privilege level. Out of the box, only 1 and 15 are used. However, any of the other 14 levels can be enabled. If a privilege level is created, they are able to utilize all commands at their level and lower. It is given any level 0 commands are available to all users. Typically EXEC commands are level 1 and privileged EXEC commands are level 15. In our example, an organization needs the following privileges for different level employees:

  • Administrator – Full access
  • Intern – debug access
  • Technical Support – ping

The administrator would be level 15. Creating a username is as follows:

Router1(config)# username admin privilege 15 secret pass

Lets break this command down:

  • username admin – State the username should be admin
  • privilege 15 – User admin should be assigned a privilege level 15
  • secret pass – admin’s password will be pass and is encrypted in the configuration file

Intern and technical support staff would have similar commands:

Router1(config)# username intern privilege 1 secret servant
Router1(config)# username techsupport privilege 0 secret tech

The administrator already has full access because it was created at level 15. The technical support user should never have abilities besides logging in, logging out, and pinging devices. ping is a level 1 command like many others. Logging in out are level 0 functions since every user needs to be able to do it. In this scenario, it would be easiest to move ping to a level 0 command.

Router1(config)# privilege exec level 0 ping

The command at the end is the start of the command which will be set at the specified privilege level. Because ping exists in User EXEC mode, exec must be specified otherwise the command at the end will be looked for in Global Configuration mode. If level permissions for a command need to be reset to factory defaults, use reset where the level would go:

Router1(config)# privilege reset exec ping

Because the intern’s commands are from Privileged EXEC mode, level 1 will be adequate for them to access the debug command.

Views

Some organizations may not want the intern to have access to commands they don’t need. Views allow users to have specific commands assigned to them. AAA is required to use views. If you are not familiar with AAA, see my AAA Basics article. Enable AAA and enter root view.

Router1(config)# aaa new-model
Router1(config)# end
Router1# enable view

Root view, entered by using enable view, allows a user to see all commands available to level 15. In Global Configuration mode, create the view for the intern and set the password for the view.

Router1# config t
Router1(config)# parser view INTERN
Router1(config-view)# secret 5 intern

Add the debug command and all of its sub-commands to the allowed list.

Router1(config-view)# commands exec include all debug

The all keyword tells the device to set not only the specified command to be included (or excluded if exclude were used) but also set the same ppermissions to sub-commands of debug. Verify the permissions are set by using:

Router1(config-view)# end
Router1# enable view INTERN
Password:Router1# ?

Exec commands:
debug Debugging functions (see also 'undebug')
enable Turn on privileged commands
exit Exit from the EXEC
show Show running system information

The view must be assigned to a user. If RADIUS or TACACS+ isn’t used, it can be done locally.

Router1(config)# username intern view intern secret intern

When the intern logs into the router, they will only be able to use debug, enable, exit, and show. They will be prompted for a password if trying to use enable and will be denied access.

Advertisements

From → Tutorial

Leave a Comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s