How to configure multiple Privilege Levels Cisco IOS CLI Shell
As we discussed in previous lesson (Cisco IOS CLI Shell Pivilege levels, user EXEC mode and privilege EXEC modes), Cisco IOS supports privilege levels from 0 to 15, but the privilege levels which are used by default are privilege level 1 (user EXEC) and level privilege 15 (privilege EXEC).
Additional Privilege Levels (2-14), can be configured for protecting the network devices from unauthorized access. Privilege levels ranging from 2 to 14 can be customized and allocated to different users. Customized Privilege levels are useful for companies which are not capable to invest in AAA servers like Cisco Secure ACS.
Below Cisco IOS configuration examples show how to create a customized Privilege Level 9, which should include privileges to configure terminal, configure interfaces with IP addresses and shutdown any interface.
By default, privilege level 9 does not include the privileges to perform the tasks discussed above. You can verify this by loging to the privilege level 9, and then moving to the Global Configuration mode as shown below.
OmniSecuR1>enable 9 Password: OmniSecuR1#configure terminal ^ % Invalid input detected at '^' marker. OmniSecuR1#
You can see that Cisco IOS Shell is not detecting the command "configure terminal". There is no privilege to move to Global Configuration mode.
Step 01 - Configure "enable secret" password for Privilege Level 9.
OmniSecuR1#configure terminal OmniSecuR1(config)#enable secret level 9 OmniSecu123 OmniSecuR1(config)#exit OmniSecuR1#
Step 02 - Configure Privilege Level 9 to include commands to move to Global Configuration mode, configure interfaces with IP addresses and shutdown any interface. To configure a Privilege Level with addidional Cisco IOS CLI commands, use "privilege" command from Global Configuration mode.
You must perform these configuration steps by loging in to Privilege Level 15.
General syntax of the "privilege" command is OmniSecuR1(config)# privilege <mode> level <level> <command-string>
OmniSecuR1#configure terminal OmniSecuR1(config)#privilege exec level 9 configure terminal OmniSecuR1(config)#privilege configure level 9 interface OmniSecuR1(config)#privilege interface level 9 ip address OmniSecuR1(config)#privilege interface level 9 ipv6 address OmniSecuR1(config)#privilege interface level 9 shutdown OmniSecuR1(config)#privilege interface level 9 no shutdown OmniSecuR1(config)#privilege interface level 9 no ip address OmniSecuR1(config)#privilege interface level 9 no ipv6 address OmniSecuR1(config)#exit OmniSecuR1#
Step 03 - After performing above IOS Configuration steps, verify again whether at Privilege Level 9, you can perform the required tasks.
OmniSecuR1>enable 9 Password: OmniSecuR1#enable OmniSecuR1#configure terminal OmniSecuR1(config)#interface fastEthernet 0/0 OmniSecuR1(config-if)#ip address 172.16.77.123 255.255.255.0 OmniSecuR1(config-if)#ipv6 address 2001:db8:aaaa:1::cd81/64 OmniSecuR1(config-if)#no shutdown OmniSecuR1(config-if)#exit OmniSecuR1(config)#exit OmniSecuR1#
Now, Privilege Level 9 is configured with the necessary permissions to perform the required tasks.