Monday, 28 May 2007

Cisco Privilege Access

Why Privilege access?
The basic username and password gives you access to the router with maybe an enable password standing between you and doing anything with it, this is fine for a single user device but when you want to split the access in to roles such as monitoring, administration and remote access the access of each needs to be defined.

Let’s split this into roles
Administrator this is level 15 the highest
Support this is level 5/6 are the most common
Monitoring is level 3/4 are the most common
Remote Worker

The Cisco privilege mode works by allowing the level you set access to the commands you set and if you don’t set any other they won’t have any others example.

Username admin privilege 15 secret password
Username support privilege 6 secret password
Username monitoring privilege 3 secret password
Username vpn privilege 0 secret password

privilege exec all level 3 show
privilege exec level 6 reload
privilege exec level 6 configure

This command means only people with privilege level 6 and higher can perform a reload, but level 3 can use the show command.

You can use lock and key as well, in this example the enable password sets the privilege level not just the user account, so the support or any other user can use the enable command and the password to get level 15 access

enable secret level 15 password

Username admin privilege 15 secret password
Username support privilege 6 secret password

Here is a example the admin user has all access to the router.
The monitoring user can issue show commands.
The support user can do the same as monitoring user and issue change of ip commands on any interface and bring it in and out of shutdown, and lastly restart the router.

Username admin privilege 15 secret password
Username support privilege 6 secret password
Username monitoring privilege 3 secret password

privilege interface all level 6 shutdown
privilege interface all level 6 ip
privilege exec level 6 configure terminal
privilege exec level 6 reload
privilege exec level 3 show

The basic rules you should be thinking of when building your privilege list, is to keep in mind what each level should be able to do

Level 15 – all commands
Level 6 – limited commands
Level 3 – read only
Level 0 – no access

You should now have a basic understanding of privilege levels now and you can explorer these commands from here.

No comments: