Lab Privilege Levels and AAA Authorization

In IOS, by default, Cisco does not perform authorization on the console. When you configure aaa
authorization it is applied to vty but not to console. Basically this is to make it harder for you to lock
yourself out of the router or switch. If you want authorization to be applied on the console then you
must explicitly configure it (and be very carefull that it is configured correctly or you can wind up being
locked out of the router - think especially of how it will work when you can not get to the external aaa
server that is normally doing the authorization).

To test authorization on the console, you have to use the following command:

Router(config)#aaa authorization console

There are two options for assigning privilege levels to users, one involving AAA and one not.

Assigning privilege levels without AAA Authorization

Privilege levels define what commands a user can actually run on a router. There are three predefined
privilege levels on Cisco routers: 0, 1 and 15:

privilege level 1 = non-privileged (prompt is switch>), the default level for logging in

privilege level 15 = privileged (prompt is switch#), the level after going into enable mode

privilege level 0 = non-privileged; includes 5 commands: disable, enable, exit, help, and logout

When you're in user exec mode, you're actually in privilege level 1, as verified with show privilege:

R2>show privilege

Current privilege level is 1

There's a huge gap in network access between levels 1 and 15, and the remaining levels 2-14 can be
configured to fill that gap. Levels 2 - 14 can be configured to allow a user assigned a particular privilege
level to run some commands, but not all of them.
NOTE prompt is # from privilege level 2 to 14 .

Assume you have a user who should not be allowed to use the ping command, which by default can be
run from privilege level 1:

R2>ping 172.1.1.1 (Success of the ping has been edited)

By moving the ping command to privilege level 5, a user must have at least that level of privilege in
order to use ping. To change the privilege level of a command, use the privilege command.

R2(config)#privilege exec level 5 ping

R2(config)#enable secret level 5 cisco

A user must now have at least a privilege level of 5 to send a ping.

To test this:

R2#exit

R2>enable 5

Password:<cisco>

R2#sh privilege

Current privilege level is 5

R2#ping 1.1.1.1

% Unrecognized host or address, or protocol not running.

R2#conf t

% Invalid input detected at '^' marker.

Note It’s a Cisco Best Practise to create a user with privilege 15:

router(config)# username username privilege 15 {password | secret} password

router(config)#line console 0

router(config-line)#login local

router(config)#line vty 0 4

router(config-line)#login local

The user will be placed into privileged exec immediately after successfully authenticating. Here you
don’t need specify the enable or secret password for access to privileged mode.

Note it’s also not necessary to define enable or secret password for telnet access.

If you do not want the console to prompt for a password then configure this: line con 0; no login (Cisco
default).

Assigning privilege levels with AAA Authorization

To enable AAA Authorization to use privilege levels, use the aaa authorization command followed by the
appropriate option.

The full command to use the TACACS+ server to assign privilege levels, followed by the local database, is
as follows:

Router(config)# aaa authorization commands 5 default group tacacs+ local

Privilege levels can also be assigned via the router's local database. If you want to assign privilege levels
on an individual user basis, configure usernames and passwords and use the privilege number command
in the actual username/password command itself to give this privilege levels to some users but not all.

Example:

R2(config)# username juanma privilege 5 password juantron

That would assign a privilege level of 5 to that particular user.

aaa new-model

aaa authentication login default local

aaa authorization commands 5 default local

¡Optional: To enter directly in privilege user level 5:

aaa authorization exec default local

username juantron privilege 5 secret juantron

! Best practice is to create an adminstrator account

username juanma privilege 15 secret juanma

! You don’t need use the following command if aaa authorization exec default local was configured

! enable secret level 5 cisco

privilege exec level 5 ping

int fa0/0

ip address 192.168.2.1 255.255.255.0

no shutdown
Let’s test this solution:

R2# telnet 192.168.2.1

Trying 192.168.2.1 ... Open

User Access Verification

Username: juantron

Password: <juantron>

R1#sh privilege

Current privilege level is 5

R1#ping 192.168.2.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms

R1#conf t

% Invalid input detected at '^' marker.