Interesting, I've never thought about that. It doesn't look like it on my IOS. It doesn't even show the privilege level in the running config.
R1(config)#username cisco456 privilege 1 secret cisco456 R1(config)#do sh run | i user username cisco123 privilege 15 secret 4 1wLgDhbOLsU0GdsP0B9e5YU2KA7gxZujqOLWf0j48q6 username cisco456 secret 4 X/3kH1/C8zYHwxsGf8rHwV7Et/Nh0igz8m2UBXsQ7JE
Be sure you use an enable password if you do this. I've found that by default the later IOS's allow anyone to 'enable' by default. The equivalent of 'aaa authentication enable none' in earlier IOS versions. E.G:
R1#sh run | i aaa|user aaa new-model aaa authentication login default local aaa authorization exec default local aaa session-id common username cisco123 privilege 15 secret 4 1wLgDhbOLsU0GdsP0B9e5YU2KA7gxZujqOLWf0j48q6 username cisco456 secret 4 X/3kH1/C8zYHwxsGf8rHwV7Et/Nh0igz8m2UBXsQ7JE
User Access Verification Username: cisco123 Password: R1#
And the scary one!
User Access Verification Username: cisco456 Password: R1>en R1#
No Kev, you were right.
By default, the Cisco IOS CLI has two levels of access to commands:
user EXEC mode (level 1) and
privileged EXEC mode (level 15).
moreover I made this draw:
please members... don't ignore my question... the main subject of this duscussion.
Thats what I thought, then I doubted myself. So I fired up my Jeremy C. security nuggets and he explicitly stated 0 as user, 1-14 as custom, 15 as priv. exec.
Grrrrr....this is what I mean about clear, consistent explanations of this topic.
So now Im going over my old 640-553 materials and its fuzzy at best in this area.
Also, lets be clear about what we are talking about - the older priv levels way of doing this, or the newer "role based" cli view style, so there is minimum confusion.
What Im trying to figure out right now is with the older way of doing it, you can pick a level AND then associate command with that level. Do you know how that works?
Is there already a subset of commands associated with each custom level (2-14) ?
For example, if I make a user account and assign random levels I get different results...e.g. if I assign priv 5, then log in with that account, it puts me right into priv exec mode. I havent tested this on each level.
Im feeling a little stupid right now.
My understanding of level 0 was that it was super restricted, way more than default user level 1 - please let me know about any good docs you may find.
(nice drawing btw...)
Hydir beware of PT, its seems to have buggy behaviour in this area.
I wanted to test the default behaviour of the user levels 2-14, so I configured this:
username kevin10 privilege 10 password 0 kevin
username kevin11 privilege 11 password 0 kevin
username kevin12 privilege 12 password 0 kevin
username kevin13 privilege 13 password 0 kevin
username kevin14 privilege 14 password 0 kevin
username kevin2 privilege 2 password 0 kevin
username kevin3 privilege 3 password 0 kevin
username kevin4 privilege 4 password 0 kevin
username kevin5 privilege 5 password 0 kevin
username kevin6 privilege 6 password 0 kevin
username kevin7 privilege 7 password 0 kevin
username kevin8 privilege 8 password 0 kevin
username kevin9 privilege 9 password 0 kevin
The only router config I added was line con 0 local login.
Whichever user I log in as the result is:
% Invalid input detected at '^' marker.
Enter configuration commands, one per line. End with CNTL/Z.
So all levels (by default) take you directly to privilege exec mode (odd) , but, to REALLY be in PE mode you have to enter enable again...must be a bug.
...experimentation continues on real routers...