Previous section   Next section

Recipe 3.22 Defining Per-User Privileges

3.22.1 Problem

You want to set different privilege levels for different users.

3.22.2 Solution

To assign a particular privilege level to a user, use the following set of commands:

Router1#configure terminal 
Enter configuration commands, one per line.  End with CNTL/Z.
Router1(config)#aaa new-model
Router1(config)#aaa authentication login default local
Router1(config)#aaa authorization exec default local 
Router1(config)#username slowell privilege 10 password maceng#1
Router1(config)#privilege exec level 10 show ip route
Router1(config)#privilege exec level 1 show ip       
Router1(config)#privilege exec level 1 show   
Router1(config)#end
Router1#

You can also create several global privilege levels that any user can access with the appropriate password:

Router1#configure terminal 
Enter configuration commands, one per line.  End with CNTL/Z.
Router1(config)#enable secret level 10 lvl10passwd
Router1(config)#privilege exec level 10 show ip route
Router1(config)#privilege exec level 1 show ip
Router1(config)#privilege exec level 1 show
Router1(config)#end
Router1#

3.22.3 Discussion

Sometimes having two privilege level groups doesn't provide fine enough granularity. For example, you might want to have three levels of administrators: user-level staff, mid-level staff, and high-level engineers. You don't want user-level staff members to see the router's routing table; the mid-level staff should be able to see the routing table, but not make configuration changes; and the highest-level engineers need to have access to everything.

You could set up these three groups by using either method shown in the recipe example. For example, you could create user accounts for the staff members and assign the appropriate privilege level to each user or group of users. Or you could create user accounts for all of the users, and then define a series of different global enable levels. Either approach would work.

Our first example uses the username command, discussed in Recipe 3.1, to assign a particular privilege level to a username. We have assigned user slowell the privilege level 10 and increased the privilege level of the command show ip route to 10. Without the aaa authorization command, you cannot change the default privilege level. Essentially, we have created a new privilege level, 10, and assigned it a single command. It will also inherit the commands from all of the lower the privilege levels:

Freebsd% telnet Router1
Trying 172.22.1.4...
Connected to Router1.
Escape character is '^]'.
   
   
User Access Verification
   
Username: slowell
Password: <maneng#1>
Router1#show privilege
Current privilege level is 10
Router1#show ip route 
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route
   
Gateway of last resort is 172.22.1.3 to network 0.0.0.0
   
     172.16.0.0/24 is subnetted, 1 subnets
   
C       172.22.1.0 is directly connected, FastEthernet1/0
O*E1 0.0.0.0/0 [110/3] via 172.22.1.3, 00:15:56, FastEthernet1/0
Router1#disable 1
Router1>show ip route
                 ^
% Invalid input detected at '^' marker.

Notice that when this user logs in, he automatically gets the increased privilege level without having to issue an enable command. He then executes the show ip route command, which works normally because we have assigned it to level 10. If he then reduces his level to 1 and tries the same command again, it won't work.

You could assign a username to privilege level 15 (enable level), but we do not recommend doing this. The extra layer of password protection and the strong encryption used by the enable secret command outweighs the convenience of assigning a user privilege level 15.

The second example defines a new privilege level using the enable secret command. You can also use the enable password command to define per-level usernames, but the enable secret command gives much better encryption, as we showed in Recipe 3.5.

The second method has two distinct advantages over the first example. First, the enable secret command uses strong MD5 encryption to store its passwords in the configuration. Second, it ensures that the new privilege level is available to all user-level staff, not just the single username we assigned earlier.

You can then use the command enable 10, which has its own password, to reach this new level:

Router1>enable 10
Password: <lvl10passwd>
Router1#show ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route
   
Gateway of last resort is 172.22.1.3 to network 0.0.0.0
   
C       172.22.1.0 is directly connected, FastEthernet1/0
O*E1 0.0.0.0/0 [110/3] via 172.22.1.3, 1w2d, FastEthernet1/0
Router1#disable 1
Router1>show ip route
              ^
% Invalid input detected at '^' marker.
   
Router1>

To access the new privilege level, this user used the enable command with the optional privilege level keyword 10. The router then prompted her for the level 10 password; after entering it correctly she was allowed to use the show ip route command. Finally, she reduced her privilege level back to default user-level (privilege level 1), where the show ip route command no longer works.

3.22.4 See Also

Recipe 3.1; Recipe 3.2; Recipe 3.21; Recipe 3.23


  Previous section   Next section
Top