Defining Per User Privileges

Defining Per User Privileges

Problem

You want to set different privilege levels to different users.

Solution

To assign a particular privilege level to user, use the following set of commands:

Router1#configure terminal 
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#aaa new-model
Router1(config)#aaa authentication login default local
Router1(config)#aaa authorization exec default local
Router1(config)#username slowell privilege 10 password maceng#1
Router1(config)#privilege exec level 10 show ip route
Router1(config)#privilege exec level 1 show ip
Router1(config)#privilege exec level 1 show
Router1(config)#end
Router1#

You can also create several global privilege levels, which any user can access with the appropriate password:

Router1#configure terminal 
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#enable secret level 10 lvl10passwd
Router1(config)#privilege exec level 10 show ip route
Router1(config)#privilege exec level 1 show ip
Router1(config)#privilege exec level 1 show
Router1(config)#end
Router1#

Discussion

Sometimes having two privilege level groups doesn't give fine enough granularity. For example, you might have three levels of administrators. The user-level staff members are not allowed to see the router's routing table. The mid-level staff can see the routing table, but they aren't allowed to make configuration changes. Only the highest-level engineers have access to everything.

You could accomplish this by using either of the two methods shown in the recipe example. For example, you could create user accounts for the staff members, assigning the appropriate privilege level to each user or group of users. Or you could create user accounts for all of the users, and then have a series of different global enable levels. Either approach would work.

Our first example uses the username command, discussed in Recipe 3.1, to assign a particular privilege level to a username. We have assigned user slowell the privilege level 10 and increased the privilege level of the command show ip route to 10. Without the aaa authorization command, you cannot change the default privilege level. Essentially, we have created a new privilege level, 10, and assigned it a single command. However, it also inherits the commands from all of the lower the privilege levels:

Freebsd% telnet Router1
Trying 172.22.1.4...
Connected to Router1.
Escape character is '^]'.


User Access Verification

Username: slowell
Password:
Router1#show privilege
Current privilege level is 10
Router1#show ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route

Gateway of last resort is 172.22.1.3 to network 0.0.0.0

172.16.0.0/24 is subnetted, 1 subnets

C 172.22.1.0 is directly connected, FastEthernet1/0
O*E1 0.0.0.0/0 [110/3] via 172.22.1.3, 00:15:56, FastEthernet1/0
Router1#disable 1
Router1>show ip route
^
% Invalid input detected at '^' marker.

Notice that when this user logs in, he automatically gets the increased privilege level without having to issue an enable command. He then executes the show ip route command, which we have assigned to level 10, so it works normally. If he then reduces his level to 1 and tries the show ip route command again, it doesn't work.

You could assign a username to privilege level 15 (enable level), but we do not recommend doing this. The extra layer of password protection and the strong encryption that the enable secret commands uses outweighs the convenience of assigning a user privilege level 15.

The second example defines a new privilege level using the enable secret command. You can also use the enable password command to define per level usernames, but the enable secret command gives much better encryption, as we showed in Recipe 3.5.

The second method has two distinct advantages over the first example. First, the enable secret command uses strong MD5 encryption to store its passwords in the configuration. Second, it ensures that the new privilege level is available to all user-level staff, and not just the single username we assigned earlier.

You can then use the command enable 10, which has its own password, to reach this new level:

Router1>enable 10
Password:
Router1#show ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route

Gateway of last resort is 172.22.1.3 to network 0.0.0.0

C 172.22.1.0 is directly connected, FastEthernet1/0
O*E1 0.0.0.0/0 [110/3] via 172.22.1.3, 1w2d, FastEthernet1/0
Router1#disable 1
Router1>show ip route
^
% Invalid input detected at '^' marker.

Router1>

To access the new privilege level, the user used the enable command with the optional privilege-level keyword, 10. The router prompted her for the level 10 password. Then she could use the show ip route command. Then she reduced her privilege level back to default user level (privilege level 1), where the show ip route command no longer works.

See Also