Changing Privilege Level of IOS Commands

Changing Privilege Level of IOS Commands

Problem

You want to change the privilege level of specific IOS commands

Solution

To reduce the privilege level of an enable command from 15 to 1, use the following command:

Router1#configure terminal 
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#privilege exec level 1 show startup-config
Router1(config)#end
Router1#

You can also increase the privilege level of a level 1 command:

Router1#configure terminal 
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#privilege exec level 15 show ip route
Router1(config)#privilege exec level 1 show ip
Router1(config)#privilege exec level 1 show
Router1(config)#end
Router1#

Notice that raising the privilege level of the show ip route command also increased the level of the show ip set of commands and all of the other show commands in the process. In this example, we lowered the show ip and show commands back to privilege 1 to ensure that all of the other show commands operated normally.

Discussion

Cisco routers support sixteen privilege levels, ranging from zero to fifteen. By default, Cisco assigns commands to only three of these privilege levels: zero, user, and enable. There are five commands with privilege level zero: disable, enable, exit, help, and logout. The user level (privilege level 1) has a wide variety of commands available that cannot alter the router's configuration. Enable mode (privilege level 15), by contrast, allows complete access to all router commands.

In practical terms, only levels 1 and 15 are normally used. When you first access the router using your VTY password (or local authentication), the router assigns privilege level 1 to your session. In order to access privilege level 15, you must use the enable EXEC command:

Router1>show privilege
Current privilege level is 1
Router1>enable 15
Password:
Router1#show privilege
Current privilege level is 15
Router1#

You can specify any valid privilege level with the enable command, but the default is level 15. You can also reduce the privilege level of your current session with the disable command:

Router1#show privilege
Current privilege level is 15
Router1#disable 1
Router1>show privilege
Current privilege level is 1
Router1>

The disable command will default to privilege level 1, if you don't specify a target privilege level.

By default, Cisco assigns a subset of commands to privilege 1 and the full set of commands to privilege 15. However, sometimes the default commands for each privilege level are not sufficient in your organization. Many organizations find it useful to modify the default command privileges.

The first example in this recipe shows how to change the privilege level of the show startup-config from its default privilege value of 15, giving it a new value of 1. This allows normal unprivileged users to see the router's startup configuration without having to give them full enable access in the process. Usually people use this feature to reduce the privilege of certain key commands. By allowing normal users to access the few commands that they need, this feature allows you to keep tighter restrictions on the commands that change the router's configuration.

Although you can change the privilege mode of any router command, the show running-config command does not function correctly at levels below 15:

Router1#configure terminal 
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#privilege exec level 1 show running-config
Router1(config)#end
Router1#disable
Router1>show running-config
Building configuration...

Current configuration : 85 bytes
!
! Last configuration change at 22:02:36 EDT Sun Jul 7 2002 by ijbrown
!
!
!
!
end

Router1>

Although the router permits the command to execute, the output is unusable.

The second recipe example shows how to increase the privilege level of a command, show ip route, from 1 to 15. This will prevent user level staff from viewing our routing table. The NSA guide to Cisco security recommends that administrators increase the privilege level of the following commands from 1 to 15: connect, rlogin, telnet, show ip access-lists, show access-lists, and show logging:

Router1#configure terminal 
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#privilege exec level 15 connect
Router1(config)#privilege exec level 15 rlogin
Router1(config)#privilege exec level 15 telnet
Router1(config)#privilege exec level 15 show ip access-lists
Router1(config)#privilege exec level 15 show access-lists
Router1(config)#privilege exec level 15 show logging
Router1(config)#privilege exec level 1 show
Router1(config)#privilege exec level 1 show ip
Router1(config)#end
Router1#

Note that changing the privilege level of the show ip route command from one to fifteen also increases the privilege level of all show ip and show commands to 15. So in this example, we have explicitly reduced the privilege of these commands back to level 1 so that we don't lose access to all of the other show commands.

To reset the privilege level of a particular command back to its normal setting, you can use the no form of the privilege command or, starting in IOS Version 12.3(6)T, you can use the reset keyword:

Router1#configure terminal 
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#no privilege exec level 1 show startup-config
Router1(config)#privilege exec reset show startup-config
Router1(config)#end
Router1#

See Also