Privilege Levels in IOS 10.3

Peter J. Welcher

Network administrators are busy people, without much time for staying current on the Cisco Internetwork Operating System (IOS). This article (and any sequel) addresses this by looking at a short router configuration topic.

User-defined privilege levels are one of many new features in release 10.3 of the Cisco IOS. This article discusses what they are, and how to configure and use them.

What are user-defined privilege levels for? I'm glad you asked!

In previous IOS releases, access was pretty much all-or-nothing. Shops big enough for division of labor (net designers, NOC staff, etc.) had 3 access levels: no access, user access, or fully privileged access. This wasn't very flexible!

Privilege levels give us 16 levels of access. User EXEC is level 1, fully privileged is level 15, and level 0 might be a guest who is only allowed to connect or disconnect.

Privilege levels allow some middle ground between Joe User and Ms. Fully Privileged. We might let junior administrators, NOC staff, or knowledgeable users do more than the run-of-the-mill user, but not open up everything to them. We might selectively allow such mid-level users access to certain commands (where they can't do too much damage?)

The first step in using multiple privilege levels is to configure the passwords for the various privilege levels. Our example:

enable password level 5 pass5
enable password san-fran

The first line says we're going to have an intermediate level, level 5, with password pass5. The second line says the fully privileged password is san-fran. This is the same as if we had configured

enable password level 15 san-fran

Let's see how you work with privilege levels. (You can try this at home if IOS 10.3 is handy).

When we're done configuring as above, we return to EXEC mode. Typing "show privilege" shows our current privilege level, 15. We type "disable 5", lowering our level to level 5. Typing "show privilege" confirms this. After "disable", we try "enable 5". When asked for the password, we type "pass5" and become enabled at privilege level 5. This is how things might look for NOC or other staff using intermediate privilege levels.

Note that so far we have set up to allow use of intermediate privilege level, level 5, but there is nothing new these users can do above and beyond normal user EXEC mode. We'll soon change that. We alter the privilege level of a command by using the configuration command:

privilege command_mode level level command

Here the possible command modes are:

paris(config)#privilege ?
  configure       Global configuration mode
  exec            Exec mode
  interface       Interface configuration mode
  line            Line configuration mode
  map-class       Map class configuration mode
  map-list        Map list configuration mode
  null-interface  Null interface configuration mode
  route-map       Route map config mode
  router          Router configuration mode

In other words, we tell the router what mode the command fits into, the new privilege level, and then the command whose privilege level is being adjusted. Let's look at a concrete example.

Suppose our shop is doing a lot of Frame Relay. We'd like our technicians to be able to do some simple debugging. We enter configuration mode (at privilege level 15) and configure:

privilege exec level 5 debug frame-relay autoinstall
privilege exec level 5 debug frame-relay events
privilege exec level 5 debug frame-relay lmi

Now those who know the level 5 password can use these debug commands! Here's what the help facility shows level 5 staff:

paris#disa 5
paris#debug ?
  frame-relay  Frame Relay
paris#debug frame-relay ?
  autoinstall  Autoinstall over Frame Relay
  events       Important Frame Relay packet events
  lmi          LMI packet exchanges with service provider

So these folks can debug Frame Relay autoinstall, events, and lmi exchanges, but not packets, which might really adversely affect the router..

Let's try another example. We become privileged at level 15 and configure:

privilege exec level 5 ping
privilege exec level 5 trace
privilege exec level 5 configure terminal
privilege configure level 5 interface
privilege interface level 5 ip address

The first two of these allow our level 5 users to use extended Ping and Trace. The third line allows level 5 use of configure terminal (and configure). We then allow use (within configure mode) of the interface command. And we allow the use of the ip address command, so that our technicians can set addresses on interfaces (maybe we're a Internet Service Provider, constantly bringing up new serial links?).

It's a good idea to sanity check all changes in privilege levels by using the help facility, to make sure you didn't open up more than was intended. Here's what we see after configuring the above lines:

paris#disable 5
paris#configure
Configuring from terminal, memory, or network [terminal]? 
Enter configuration commands, one per line.  End with CNTL/Z.
paris(config)#?
Configure commands:
  end        Exit from configure mode
  exit       Exit from configure mode
  help       Description of the interactive help system
  interface  Select an interface to configure
  no         Negate a command or set its defaults
paris(config)#int e 0
paris(config-if)#?
Interface configuration commands:
  exit  Exit from interface configuration mode
  help  Description of the interactive help system
  ip    Interface Internet Protocol config commands
  no    Negate a command or set its defaults
paris(config-if)#

So the level 5 users can now configure ip addresses on interfaces, but nothing else.

If we become fully privileged (level 15) and try "write terminal", we see a few lines we might not have expected:

privilege interface level 5 ip address
privilege interface level 5 ip
privilege exec level 5 debug
privilege exec level 5 configure terminal
privilege exec level 5 configure

The privilege level information is stored internally in the keyword nodes of a parse tree of all possible commands. To be able to parse "ip address" you have to be able to get past "ip", so putting level 5 privileges on the "address" keyword in "ip address" means that the "ip" had better also have level 5 access. Similarly, to be able to get past "debug" to "debug frame-relay autoinstall", the keyword "debug" has to be at level 5.

In general, suppose the command "aaa bbb ccc" is set to privilege level X. Then the commands "aaa" and "aaa bbb" must also be at privilege level X, or the parser can't GET to "aaa bbb ccc" at level X.

Usually this works pretty much as you'd expect, but you do have to be mildly on guard against opening up more than you intend, allowing initial substrings of some command.

Dr. Peter J. Welcher (CCIE #1773, CCSI #94014) is a Senior Consultant with Chesapeake NetCraftsmen. NetCraftsmen is a high-end consulting firm and Cisco Premier Partner dedicated to quality consulting and knowledge transfer. NetCraftsmen has nine CCIE's, with expertise including large network high-availability routing/switching and design, VoIP, QoS, MPLS, network management, security, IP multicast, and other areas. See http://www.netcraftsmen.net for more information about NetCraftsmen. Pete's links start at http://www.netcraftsmen.net/welcher . New articles will be posted under the Articles link. Questions, suggestions for articles, etc. can be sent to pjw@netcraftsmen.net .