Privilege Levels

Visibility: Open to anyone

    CCNA Security - Implementing Network Security

    2 Securing Network Devices

    2.2 Assigning Administrative Roles

    2.2.1 Configuring Privilege Levels

     

    Page 1:

    While it is important that a system administrator can securely connect to and manage a device, still more configurations are needed to keep the network secure. For example, should complete access be provided for all employees in a company? The answer to that question is usually no. Most company employees require only specific areas of access to the network. What about complete access for all employees in the IT department? Keep in mind that large organizations have many various job functions within an IT department. For example, job titles include Chief Information Officer (CIO), Security Operator, Network Administrator, WAN Engineer, LAN Administrator, Software Administrator, PC Tech support, Help Desk support, and others. Not all job functions should have the same level of access to the infrastructure devices.

     

    As an example, a senior network administrator leaves for vacation and, as a precaution, provides a junior administrator with the privileged EXEC mode passwords to all infrastructure devices. A few days later, the curious junior administrator accidentally disables the company network. This is not an uncommon scenario, because all too often a router is secured with only one privileged EXEC password. Anyone with knowledge of this password has open access to the entire router.

     

    Configuring privilege levels is the next step for the system administrator who wants to secure the network. Privilege levels determine who should be allowed to connect to the device and what that person should be able to do with it. The Cisco IOS software CLI has two levels of access to commands.

     

     

    • User EXEC mode (privilege level 1) - Provides the lowest EXEC mode user privileges and allows only user-level commands available at the router> prompt.
    • Privileged EXEC mode (privilege level 15) - Includes all enable-level commands at the router# prompt.

     

    Although these two levels do provide control, sometimes a more precise level of control is required.

     

    Cisco IOS software has two methods of providing infrastructure access: privilege level and role-based CLI.

    Display Visual Media

     

     

     

    Page 2:

    Assigning Privilege Levels

     

    Since Cisco IOS Release 10.3, Cisco routers enable an administrator to configure multiple privilege levels. Configuring privilege levels is especially useful in a help desk environment where certain administrators must be able to configure and monitor every part of the router (level 15), and other administrators need only to monitor, not configure, the router (customized levels 2 to 14). There are 16 privilege levels in total. Levels 0, 1, and 15 have predefined settings.

     

    An administrator can define multiple customized privilege levels and assign different commands to each level. The higher the privilege level, the more router access a user has. Commands that are available at lower privilege levels are also executable at higher levels, because a privilege level includes the privileges of all lower levels. For example, a user authorized for privilege level 10 is granted access to commands allowed at privilege levels 0 through 10 (if also defined). A privilege-level-10 user cannot access commands granted to privilege level 11 (or higher). A user authorized for privilege level 15 can execute all Cisco IOS commands.

     

    To assign commands to a custom privilege level, use the privilege command from global configuration mode.

     

    Router(config)# privilege mode {level level command | reset} command

     

    It is important to note that assigning a command with multiple keywords, such as show ip route, to a specific privilege level automatically assigns all commands associated with the first few keywords to the specified privilege level. For example, both the show command and the show ip command are automatically set to the privilege level where show ip route is set. This is necessary because the show ip route command cannot be executed without access to the show and show ip commands. Subcommands coming under show ip route are also automatically assigned to the same privilege level. Assigning the show ip route command allows the user to issue all show commands, such as show version.

    Display Visual Media

     

     

     

    Page 3:

    Privilege levels should also be configured for authentication. There are two methods for assigning passwords to the different levels:

     

     

    • To the privilege level using the global configuration command enable secret level level password.
    • To a user that is granted a specific privilege level, using the global configuration command username name privilege level secret password.

     

    For example, an administrator could assign four levels of device access within an organization:

     

     

    • A USER account (requiring level 1, not including ping)
    • A SUPPORT account (requiring all level 1 access, plus the ping command)
    • A JR-ADMIN account (requiring all level 1 and 5 access, plus the reload command)
    • An ADMIN account (requiring complete access)

     

    Implementing privilege levels varies depending on the organization's structure and the different job functions that require access to the infrastructure devices.

     

    In the case of the USER, which requires default level 1 (Router>) access, no custom privilege level is defined. This is because the default user mode is equivalent to level 1.

     

    The SUPPORT account could be assigned a higher level access such as level 5. Level 5 automatically inherits the commands from levels 1 through 4, plus additional commands can be assigned. Keep in mind that when a command is assigned at a specific level, access to that command is taken away from any lower level. For example, to assign level 5 the ping command, use the following command sequence.

     

    privilege exec level 5 ping

     

    The USER account (level 1) no longer has access to the ping command, because a user must have access to level 5 or higher to perform the ping function.

     

    To assign a password to level 5, enter the following command.

     

    enable secret level 5 cisco5

     

    To access level 5, the password cisco5 must be used.

     

    To assign a specific username to privilege level 5, enter the following command.

     

    username support privilege 5 secret cisco5

     

    A user that logs in under the username support is only able to access privilege level 5, which also inherits privilege level 1.

    Display Visual Media

     

     

     

    Page 4:

    The JR-ADMIN account needs access to all level 1 and level 5 commands as well as the reload command. This account must be assigned a higher level access, such as level 10. Level 10 automatically inherits all the commands from the lower levels.

     

    To assign level 10 to the privileged EXEC mode reload command, use the following command sequence.

     

    privilege exec level 10 reload
    username jr-admin privilege 10 secret cisco10
    enable secret level 10 cisco10

     

    By performing these commands, the reload command is only available to users with level 10 access or higher. The username jr-admin is given access to privilege level 10 and all associated commands, including those commands assigned to any lower privilege levels. To access level 10 mode, the password cisco10 is required.

     

    An ADMIN account could be assigned the default level 15 access for privileged EXEC mode. In this instance, no custom commands need to be defined. A custom password could be assigned using the enable secret level 15 cisco123 command, however, that does not override the enable secret password, which could also be used to access level 15. Use the username admin privilege 15 secret cisco15 command to assign level 15 access to the user ADMIN with a password of cisco15.

     

    Keep in mind that when assigning usernames to privilege levels, the privilege and secret keywords are not interchangeable. For example, the username USER secret cisco privilege 1 command does not assign the USER account level 1 access. Instead, it creates an account requiring the password "cisco privilege 1".

     

    To access established privilege levels, enter the enable level command from user mode, and enter the password that was assigned to the custom privilege level. Use the same command to switch from a lower level to a higher level.

     

     

    • To switch from level 1 to level 5, use the enable 5 command at the EXEC prompt.
    • To switch to level 10, use enable 10 with the correct password.
    • To switch from level 10 to level 15, use the enable command. If no privilege level is specified, level 15 is assumed.

     

    It is sometimes easy to forget which level of access a user currently has. Use the show privilege command to display and confirm the current privilege level. Remember that the higher privilege levels automatically inherit the command access of the lower levels.

    Display Visual Media

     

     

     

    Page 5:

    Although assigning privilege levels does provide some flexibility, some organizations might not find them suitable because of the following limitations:

     

     

    • No access control to specific interfaces, ports, logical interfaces, and slots on a router.
    • Commands available at lower privilege levels are always executable at higher levels.
    • Commands specifically set on a higher privilege level are not available for lower privileged users.
    • Assigning a command with multiple keywords to a specific privilege level also assigns all commands associated with the first keywords to the same privilege level. An example is the show ip route command.

     

    The biggest limitation however is that if an administrator needs to create a user account that has access to most but not all commands, privilege exec statements must be configured for every command that must be executed at a privilege level lower than 15. This can be a tedious process.

     

    How can the limitations of assigning privilege levels be overcome?

    Display Visual Media

     

     

     

    2.2.2 Configuring Role-Based CLI Access

     

    Page 1:

    Role-Based CLI

     

    To provide more flexibility than privilege levels, Cisco introduced the Role-Based CLI Access feature in Cisco IOS Release 12.3(11)T. This feature provides finer, more granular access by controlling specifically which commands are available to specific roles. Role-based CLI access enables the network administrator to create different views of router configurations for different users. Each view defines the CLI commands that each user can access.

     

    Security

     

    Role-based CLI access enhances the security of the device by defining the set of CLI commands that is accessible by a particular user. Additionally, administrators can control user access to specific ports, logical interfaces, and slots on a router. This prevents a user from accidentally or purposely changing a configuration or collecting information to which they should not have access.

     

    Availability

     

    Role-based CLI access prevents unintentional execution of CLI commands by unauthorized personnel, which could result in undesirable results. This minimizes downtime.

     

    Operational Efficiency

     

    Users only see the CLI commands applicable to the ports and CLI to which they have access; therefore, the router appears to be less complex, and commands are easier to identify when using the help feature on the device.

    Display Visual Media

     

     

     

    Page 2:

    Role-based CLI provides three types of views:

     

     

    • Root view
    • CLI view
    • Superview

     

    Each view dictates which commands are available.

     

    Root View

     

    To configure any view for the system, the administrator must be in root view. Root view has the same access privileges as a user who has level 15 privileges. However, a root view is not the same as a level 15 user. Only a root view user can configure a new view and add or remove commands from the existing views.

     

    CLI View

     

    A specific set of commands can be bundled into a CLI view. Unlike privilege levels, a CLI view has no command hierarchy and, therefore, no higher or lower views. Each view must be assigned all commands associated with that view, and a view does not inherit commands from any other views. Additionally, the same commands can be used in multiple views.

     

    Superview

     

    A superview consists of one or more CLI views. Administrators can define which commands are accepted and which configuration information is visible. Superviews allow a network administrator to assign users and groups of users multiple CLI views at once, instead of having to assign a single CLI view per user with all commands associated to that one CLI view.

     

    Superviews have the following characteristics:

     

     

    • A single CLI view can be shared within multiple superviews.
    • Commands cannot be configured for a superview. An administrator must add commands to the CLI view and add that CLI view to the superview.
    • Users who are logged into a superview can access all the commands that are configured for any of the CLI views that are part of the superview.
    • Each superview has a password that is used to switch between superviews or from a CLI view to a superview.

     

     

    Deleting a superview does not delete the associated CLI views. The CLI views remain available to be assigned to another superview.

    Display Visual Media

     

     

     

    Page 3:

    Before an administrator can create a view, AAA must be enabled using the aaa new-model CLI command or CCP. To configure and alter views, an administrator must log in as the root view, using the enable view privileged EXEC command. The enable view root command can also be used. When prompted, enter the enable secret password.

     

    There are five steps to create and manage a specific view:

     

    Step 1. Enable AAA with the aaa new-model global configuration command. Exit and enter the root view with the enable view command.

     

    Step 2. Create a view using the parser view view-name command. This enables the view configuration mode. Excluding the root view, there is a maximum limit of 15 views in total.

     

    Step 3. Assign a secret password to the view using the secret encrypted-password command.

     

    Step 4. Assign commands to the selected view using the commands parser-mode {include | include-exclusive | exclude} [all] [interface interface-name | command] command in view configuration mode.

     

    Step 5. Exit view configuration mode by typing the exit command.

    Display Visual Media

     

     

     

    Page 4:

    The steps to configure a superview are essentially the same as configuring a CLI view, except that instead of using the commands command to assign commands, use the view view-name command to assign views. The administrator must be in root view to configure a superview. To confirm that root view is being used, use either the enable view or enable view root command. When prompted, enter the enable secret password.

     

    There are four steps to create and manage a superview:

     

    Step 1. Create a view using the parser view view-name superview command and enter superview configuration mode.

     

    Step 2. Assign a secret password to the view using the secret encrypted-password command.

     

    Step 3. Assign an existing view using the view view-name command in view configuration mode.

     

    Step 4. Exit superview configuration mode by typing the exit command.

     

    More than one view can be assigned to a superview, and views can be shared between superviews.

     

    To access existing views, enter the enable view view-name command in user mode and enter the password that was assigned to the custom view. Use the same command to switch from one view to another.

    Display Visual Media

     

     

     

    Page 5:

    To verify a view, use the enable view command. Enter the name of the view to verify, and provide the password to log in to the view. Use the question mark (?) command to verify that the commands available in the view are correct.

     

    From the root view, use the show parser view all command to see a summary of all views.

    Display Visual Media

     

     

    All contents copyright © 2007-2012 Cisco Systems, Inc. All | Translated by the Cisco Networking Academy. About