Privilege level - tuning the commands

Similar Messages

• Privilege level for the commands

  Hi All,
  I am trying to modify the privilege level of the commands in my router.
  I need to understand what is the privilege level for the commands.
  Is there a command in the IOS or a link with a document on the CCO with the criteria or the list of the command and its corresponded privile level.
  Thanks
  Matteo

  Matteo
  I am not clear what it is that you are trying to do. But let me make a suggestion. While there are 16 privilege levels (0 through 15) there are two levels that are commonly used 1 and 15. 1 is what is usually called user mode and is the default level when someone first logs into the router. My suggestion is to identify what group of commands you do not want to be available in user mode, decide if they should be available in something less than 15, pick a level, and assign the commands to that level.
  If you really do want to start from a list of commands and their privilege level, I do not think that you will find any single source which will accurately give you the privilege level for all commands. The closest you will find is to look in the command reference and find the command. The command reference will usually describe the privilege level. Unfortunately I have found a few situations where the description of privilege level was not correct.
  My advice is that if you want to find the privilege level for some commands that you want to manipulate, that you get a router and try the command and determine what its privilege level is.
  HTH
  Rick

• Change in privilege level for the command show logging

  I have recently discovered a change in behavior in IOS. The command show logging has traditionally been available at user level. Now it has become a privilege level 15 command.
  I thought that this was strange and opened a case with Cisco TAC about it. I was told that this is a new "feature" that was implemented for bugid CSCsl61281. Unfortunately this bugid is viewable by Cisco internally but not viewable by the public.
  The TAC engineer tells me that this change is integrated into these releases:
  This was integrated into the following releases:
  12.4(24.05.01)PIX11
  12.4(21.14.09)PIC01
  12.4(19.03)T
  12.2(52.23)SIN
  12.2(33)SXI01
  12.2(32.08.11)SX229
  12.2(32.08.11)SR174
  I do not think that this is a good change. If you do not think that this is a good change I suggest that you contact your Cisco support team and express your opinion about this change.
  Otherwise as you go to new versions of IOS be aware of the potential impact on your network monitoring processes and procedures that show logging will require level 15 privilege access.
  HTH
  Rick

  Hi Rick,
  Can you suggest me references to know more about privilege level commands?
  How to enable different commands for different levels of privileges?
  Thanks.
  -Sudhish

• Custom privilege level for CSM commands

  Is there a way to creat a custom privilege level to allow a user access to only CSM config commands while in config mode?? I'm trying to allow members of our server/web team to check on the status of the web servers and to take them out of service for maintenance....and not allow them access to change any other configs on the switch.
  Thanks...Jeff

  Here is an exampel for enable 5
  enable secret level 5
  privilege slb-lam-mode-real level 5 no inservice
  privilege slb-lam-mode-real level 5 inservice
  privilege slb-lam-mode-real level 5 inservice standby
  privilege slb-lam-mode-csm-sfarm level 5 real
  privilege slb-lam-mode-csm-sfarm level 5 real name
  privilege slb-lam-mode-csm level 5 server
  privilege configure level 5 module csm
  privilege exec level 5 conf t
  privilege exec level 5 exit

• How to enable Rosetta at the system level using the command line?

  I need to find a way to enable Rosetta at the system level (e.g. all users) using the command line. When Rosetta is enabled, the following entry is created in ~/Library/Preferences/com.apple.LaunchServices (run defaults read com.apple.LaunchServices)
  LSPrefsFatApplications = {
  "com.apple.Safari" = (
  <00000000 009a0003 00010000 c323458f 0000482b 00000000 00000023 0000727b 0000c2b0 8b4e0000 00000920 fffe0000 00000000 0000ffff ffff0001 00040000 0023000e 0016000a 00530061 00660061 00720069 002e0061 00700070 000f0014 00090053 00650072 00760065 00720020 00480044 00120017 4170706c 69636174 696f6e73 2f536166 6172692e 61707000 00130001 2f00ffff 0000>
  Does anyone know what the data shown here is? It doesn't change when Rosetta is turned off and then back on. It also doesn't change between user accounts (e.g. joe's com.apple.LaunchServices.plist has the same value as jane's).
  Will it be possible to run defaults in a way that makes this change work for all users of the computer?

  I am asking about the option to run in non-interactive modeIt cannot be done. Check "Oracle® Applications Maintenance Utilities Release 11i (11.5.10.2)" manual for more details.

• Enable aaa accounting commands for all privilege levels?

  Here is the command's syntax:
  aaa accounting {auth-proxy | system | network | exec | connection | commands level} {default | list-name} {start-stop | stop-only | none} [broadcast] group groupname
  The "command" accounting type must include the privilege level of the commands you are logging. How do I log ALL commands?
  Take the following example:
  aaa accounting commands 15 default start-stop group mygroup
  If I issue this command will that mean commands the user executes that have a privilege level lower than 15 will not be logged? Or only commands that require exactly privilege level 15 will be logged?
  How can I log all commands regardless of privilege level?

  Hi Red,
  If you customize the command privilege level using the privilege command, you can limit which commands the appliance accounts for by specifying a minimum privilege level. The security appliance does not account for commands that are below the minimum privilege level.
  The default privilege level is 0. So if you don't specify any privilege level then all should be accounted for.
  You can find the command detail at. This is for ASA though.
  http://www.cisco.com/c/en/us/td/docs/security/asa/asa80/command/reference/cmd_ref/a1.html#wp1535253
  Regards,
  Kanwal
  Note: Please mark answers if they are helpful.

• Default Privilege Level for ASA users authenticated by Radius or TACACS when using ASDM

  Hello,
  I'm trying to figure out what the default privilege level is for users that are authenticated to the ASA via a remote authentication server when using the ASDM.
  the command "aaa authentication http console TACACS+ LOCAL" is used in the ASA config.
  The remote server is NOT setting any privilege levels for users.  There are also no aaa authorization commands present in the config.
  So what privilege level do the users receive when they login with the ASDM?  I'm being told that the users receive admin access which includes config write, reboot, and debug.  But I cannot find any documentation stating hte default level.
  Please advise.  And providing links to cisco documentation would be great too.
  Thanks,
  Brendan

  Hi Berendan,
  Hope the below exerpt from document clarifies your query. also i have provided the link to refer.
  About Authorization
  Authorization controls access per user after users authenticate. You can configure the security appliance to authorize the following items:
  •Management commands
  •Network access
  •VPN access
  Authorization controls the services and commands available to each authenticated user. Were you not to enable authorization, authentication alone would provide the same access to services for all authenticated users.
  If you need the control that authorization provides, you can configure a broad authentication rule, and then have a detailed authorization configuration. For example, you authenticate inside users who attempt to access any server on the outside network and then limit the outside servers that a particular user can access using authorization.
  The security appliance caches the first 16 authorization requests per user, so if the user accesses the same services during the current authentication session, the security appliance does not resend the request to the authorization server.
  http://www.cisco.com/c/en/us/td/docs/security/asa/asa80/asdm60/user/guide/usrguide/aaasetup.html
  Regards
  Karthik

• Username with privilege level 15 bypass enable

  Hi experts,
  I guess I never really understand the authentication process on Cisco routers and devices lol. Anyway I want users with privilege level 15 to be put in the enable mode right away after login without having to type in "enable" command and enable password. Users with other privilege levels will still be put in the EXEC mode.
  AAA has to be enabled because I'm using it for 802.1x as well.
  The privilege level eventually will be assigned by Radius server but right now the user is created locally on the switch. Right now I have:
  aaa new-model
  username admin privilege 15 secret 5 $1$2bdl$VIp53G4/zpo4f9aHh.t5v0
  username cisco secret 5 $1$NGdD$ehTUzwappJFMxgA7tM/YW.
  line vty 0 5
  access-class 100 in
  exec-timeout 30 0
  logging synchronous
  transport input ssh
  And it's not working lol. No matter I log in with "admin" or "cisco" I'm put in EXEC mode... What do I have to do to achieve this?
  Thanks!

  Hi,
  The with default keyword authorization will get applied on all the lines i.e. CONSOLE, VTY, AUX.
  In case you want it for users who are trying to login to via ssh or telnet use the following:
  EXEC AUTHORIZATION
  Router
  router(config)#aaa authorization exec TEL GRoup radius local
  router(config)#line vty 0 15
  router(config-line)#authorization exec TEL
  ACS
  Interface configuration
  Check  user & group for cisco av-pair.
  User setup à cisco ios/pix 6.x radius attributes àcisco av-pair [ shell:priv-lvl=15]
  OR
  Group setup à ios/pix 6.x radius attributes à shell:priv-lvl=15
  In case of radius if exec authorization is enabled  and if have not specified any privilege level in the ACS server. Then user will fall under the privilege level 1 and if enable authentication is enabled  or enable password is defined  on the router then we can go to enable mode by typing en or en
  Regards,
  Anisha
  P.S.: please mark this thread as resolved if you think your query is answered.

• Authorization problem - Privilege level

  Hi,
  Again I'm having some problems with AAA authorization to assign the correct privilege level to the users on my RADIUS server (FreeRadius).
  I am currently updating all routers to do this authorization and I'm having problems because one of them has version 12.0(30)S2, which does not use the same commands.
  This is the AAA configuration that I have working on the other routers:
  aaa new-model
  aaa group server radius RADIUSSERVERS
  aaa authentication login AAA group RADIUSSERVERS local enable none
  aaa authentication login CONSOLE local
  aaa authentication ppp default group radius local
  aaa authorization exec AAA group RADIUSSERVERS local none
  aaa authorization network default group radius local
  aaa authorization network AAA group RADIUSSERVERS local none
  aaa accounting exec AAA start-stop group RADIUSSERVERS
  aaa accounting network default start-stop group radius
  aaa accounting network AAA start-stop group RADIUSSERVERS
  aaa session-id common
  line vty 0 4
  session-timeout 5000
  access-class 99 in
  exec-timeout 5000 0
  password 7 x
  authorization exec AAA
  login authentication AAA
  transport input telnet
  line vty 5 15
  session-timeout 5000
  access-class 99 in
  exec-timeout 5000 0
  password 7 x
  authorization exec AAA
  login authentication AAA
  transport input telnet
  This is the one that does not work (version IOS 12.0(30)S2):
  aaa new-model
  aaa authentication fail-message ^C
  aaa authentication password-prompt Passcode:
  aaa authentication username-prompt UserID:
  aaa authentication login AAA radius local enable none
  aaa authentication login CONSOLE local
  aaa authorization exec AAA radius local none
  aaa authorization network default radius local
  aaa authorization network AAA radius local none
  radius-server host x.x.x.x auth-port 8812 acct-port 8813
  radius-server retransmit 2
  radius-server key 7 X
  line vty 0 4
  session-timeout 5
  access-class 99 in
  exec-timeout 5 0
  password 7 x
  authorization exec AAA
  login authentication AAA
  line vty 5 15
  session-timeout 5
  access-class 99 in
  exec-timeout 5 0
  password 7 x
  authorization exec AAA
  login authentication AAA
  The radius server is configured to be the same, although I use the group command with the new version and "radius-server" with the older version.
  Can anyone tell me what I'm doing wrong?
  Thank you,
  Paulo

  Thanks. Looking at the debugs solved the problem.
  I was so convinced that I had set the right privilege level on the server that I didn't even check it. It worked on the other routers because their commands were set to lower privilege levels.
  That was the problem.
  Thanks for everything and sorry for bugging you with such a simple problem.

• ASDM Privilege Level default 15 for Radius users

  So this may be a bit of a dumb question...
  I stumbled upon an ASA today that is configured to authenticate against a Radius server for SSH and HTTPS connections. If I log in via SSH, I can't gain a privilege level of more than 1 (tried login command, etc).
  However, if I log in with ASDM, I always have privilege level 15.
  Command authorization is not enabled.
  Is this default behavior. If so, why? Do I need to enable command authorization to override this behavior?
  FYI, the system in question is running ASA 8.3(1)
  Thanks much

  aaa-server RADGR protocol radius
  aaa-server RADGR host 10.2.2.2
  timeout 4
  key cisco123
  aaa authentication enable console RADGR LOCAL
  After logging in, use the enable command with your user password.
  http://www.cisco.com/en/US/partner/docs/security/asa/asa83/configuration/guide/access_management.html#wp1145571

• Configure Read-Acces via user-defined privilege level

  Hello everybody,
  I´m looking for the best configuration to restrict a user to read-only. The restriction should be configured via CLI not TACACS+.
  Hardware: 3750 (probably not interesting for this question)
  Oldest IOS: 12.2(53)SE1
  The user should be allowed to:
  see the running-configuration
  trigger all kinds of show-commands
  ping and traceroute from the device
  The user should not be allowed to:
  upload/delete/rename files on the flash-memory
  get into level 15 (not sure if I can avoid this)
  all other commands despite those from level 1 and those specified above
  Can someone help me with this?
  Thanks in advance!
  I won´t forget to rate helpful posts

  Hi Tobias,
  You can
  configure  Multiple Privilege Levels  on a switch as explained below.
  By default, the Cisco IOS software has two modes of password security: user EXEC and
  privileged EXEC. You can configure up to 16 hierarchical levels of commands for each mode.
  By configuring multiple passwords, you can allow different sets of users to have access to
  specified commands.
  For example, if you want many users to have access to the clear line command, you can
  assign it level 2 security and distribute the level 2 password fairly widely. But if you
  want more restricted access to the configure command, you can assign it level 3 security
  and distribute that password to a more restricted group of users.
  Setting the Privilege Level for a Command
  Beginning in privileged EXEC mode, follow these steps to set the privilege level for a
  command mode:
       Command  Purpose 
        Step 1 
       configure terminal
       Enter global configuration mode.
        Step 2 
       privilege mode level level command
       Set the privilege level for a command.
  For mode, enter configure for global configuration mode, exec for EXEC mode, interface
  for interface configuration mode, or line for line configuration mode.
  For level, the range is from 0 to 15. Level 1 is for normal user EXEC mode privileges.
  Level 15 is the level of access permitted by the enable password.
  For command, specify the command to which you want to restrict access.
        Step 3 
       enable password level level password
       Specify the enable password for the privilege level.
    .For level, the range is from 0 to 15. Level 1 is for normal user EXEC mode privileges.
  For password, specify a string from 1 to 25 alphanumeric characters. The string cannot
  start with a number, is case sensitive, and allows spaces but ignores leading spaces. By
  default, no password is defined.
        Step 4 
       end
       Return to privileged EXEC mode.
        Step 5 
       show running-config
       or
        show privilege
       Verify your entries.
  The first command shows the password and access level configuration. The second command
  shows the privilege level configuration.
        Step 6 
       copy running-config startup-config
       (Optional) Save your entries in the configuration file.
  When you set a command to a privilege level, all commands whose syntax is a subset of that
  command are also set to that level. For example, if you set the show ip traffic command to
  level 15, the show commands and show ip commands are automatically set to privilege level
  15 unless you set them individually to different levels.
  To return to the default privilege for a given command, use the no privilege mode level
  level command global configuration command.
  This example shows how to set the configure command to privilege level 14 and define
  SecretPswd14 as the password users must enter to use level 14 commands:
  Switch(config)# privilege exec level 14 configure
  Switch(config)# enable password level 14 SecretPswd14
  Also you can change the default privilege level for all the users .
  Changing the Default Privilege Level for Lines Beginning in privileged EXEC mode, follow these steps to change the default privilege level for a line:    Command  Purpose 
  Step 1   configure terminal  Enter global configuration mode.
    Step 2   line vty line  Select the virtual terminal line on which to restrict access.
  Step 3   privilege level level  Change the default privilege level for the line.
               For level, the range is from 0 to 15. Level 1 is for normal user EXEC mode
               privileges. Level 15 is the level of access permitted by the enable password. 
  Step 4  end  Return to privileged EXEC mode. 
  Step 5   show running-config  or show privilege
            Verify your entries. The first command shows the password and access level configuration.
            The second command shows the privilege level configuration.
    Step 6   copy running-config startup-config  (Optional) Save your entries in the configuration file. 
  Users can override the privilege level you set using the privilege level line configuration command
  by logging in to the line and enabling a different privilege level.
  They can lower the privilege level by using the disable command.
  If users know the password to a higher privilege level, they can use that password to enable the higher privilege level. You might specify a high level or privilege level for your console line to restrict line usage. 
  To return to the default line privilege level, use the no privilege level line configuration command. Also i am sending a document for your reference.
  http://www.cisco.com/univercd/cc/td/doc/product/lan/cat3750/12225see/scg/swauthen.htm#wp1154063
  HTH
  Regards
  Inayath

• AAA Local with Privilege Levels

  The goal....
  1. local usernames on a router to control access
  2. Use privilege levels in the username command to reflect what a user is allowed to do
  3. Define a set of commands available to users with privilege level 1
  My trouble here is that I cannot seem to find this exact combination of commands for what I want to do on CCO or Google. I have tried several combinations and here is what I have so far, but its not working.
  aaa new-model
  aaa authentication login default local
  aaa authorization commands 1 default local
  username engineer priv 15 pass XXXX
  username tech priv 1 pass XXXX
  privilege exec level 1 traceroute
  
privilege exec level 1 ping

  Hi,
  This link answers your question.
  http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a00800949d5.shtml
  aaa authori command is not reqd.
  Regards,
  ~JG
  Do rate helpful posts

• Ise and switch authentication and privilege level

  Hi Guys,
  I'm working on an eval on vmware. I have got everything working for wlan authentication and I’m working on shell authentication for switches. On the ACS you have the possibility to give the user privilege level on the switch. You can do this with shell profiles in ACS.
  Is there a way to get this done in ISE? I was thinking to make a result policy elements but I can't find a shell profile or privilege attributes like in ACS.
  For the record, switch authentication is working with Active Directory. I only need to know how to give the right return attribute.
  I appreciate any help!
  Sander

  @Sander,
  You were in the right area. 
  Policy->Results->Authorization->Authorization Profiles.
  Create AuthZ profile for Access-Accept and Under the Advanced Attributes Settings you can use:
  Cisco:cisco-av-pair = shell:priv-lvl=15
  or whatever privilege level you want to assign.
  On your AuthZ rule, match the conditions and apply the created profile.

• Assigning Privilege Level Thru RADIUS

  I'm using Microsoft IAS as my RADIUS server. We have a number of Cisco 2800 routers running the latest IOS which are also acting as VPN servers for our remote user connecting using their laptops via IPSec and Cisco VPN Client. How can I set the privilege level for the authenticated users so that the remote VPN users are given privilege level 0 and the Administrators are given privilege level 15, so they can login to routers and manage them.

  Prem
  Thanks for attaching a very interesting document. worth the 5 rating.
  HTH
  Rick

• Create a privilege level that only allows access to show commands

  Hi,
  I would like to create a privilege level that would only give access to the show commands for certain users. What would be the best way to do this?
  Would I have to use the privilege mode level level command for every available show command or is there a more efficient way of doing this?
  In addition, could we manage such a privilege level from a Radius Server.
  Thanks for your help
  Stéphane

  Well, I think the best way to achive this is to use TACACS with command authorization feature.
  Configuration on the tacacs server ( only for show commands, read only access)
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml#scenario2
  These commands are required on an IOS router or switch in order to implement command authorization through an ACS server:
      aaa new-model
      aaa authorization config-commands
      aaa authorization commands 0 default  group tacacs+ local
      aaa authorization commands 1 default  group tacacs+ local
      aaa authorization commands 15 default group tacacs+ local
       tacacs-server host 10.1.1.1
       tacacs-server key cisco123
  These commands are required on ASA/PIX/FWSM in order to implement command authorization through an ACS server:
      aaa-server authserver protocol tacacs+
      aaa-server authserver host 10.1.1.1
      aaa authorization command authserver
  However, if you strictly want to use radius server then please try the below listed attribute for a single user or group.
  Service-Type = NAS Prompt
  http://www.ietf.org/assignments/radius-types/radius-types.xml#radius-types-4
  This might not work for ASDM.
  HTH
  Regards,
  Jatin
  Do rate helpful posts-