Professional Documents
Culture Documents
In IOS, by default, Cisco does not perform authorization on the console. When you configure aaa
authorization it is applied to vty but not to console. Basically this is to make it harder for you to lock
yourself out of the router or switch. If you want authorization to be applied on the console then you
must explicitly configure it (and be very carefull that it is configured correctly or you can wind up being
locked out of the router - think especially of how it will work when you can not get to the external aaa
server that is normally doing the authorization).
To test authorization on the console, you have to use the following command:
There are two options for assigning privilege levels to users, one involving AAA and one not.
Privilege levels define what commands a user can actually run on a router. There are three predefined
privilege levels on Cisco routers: 0, 1 and 15:
privilege level 1 = non-privileged (prompt is switch>), the default level for logging in
privilege level 15 = privileged (prompt is switch#), the level after going into enable mode
privilege level 0 = non-privileged; includes 5 commands: disable, enable, exit, help, and logout
When you're in user exec mode, you're actually in privilege level 1, as verified with show privilege:
R2>show privilege
There's a huge gap in network access between levels 1 and 15, and the remaining levels 2-14 can be
configured to fill that gap. Levels 2 - 14 can be configured to allow a user assigned a particular privilege
level to run some commands, but not all of them.
NOTE prompt is # from privilege level 2 to 14 .
Assume you have a user who should not be allowed to use the ping command, which by default can be
run from privilege level 1:
By moving the ping command to privilege level 5, a user must have at least that level of privilege in
order to use ping. To change the privilege level of a command, use the privilege command.
To test this:
R2#exit
R2>enable 5
Password:<cisco>
R2#sh privilege
R2#ping 1.1.1.1
R2#conf t
router(config)#line console 0
router(config-line)#login local
router(config)#line vty 0 4
router(config-line)#login local
The user will be placed into privileged exec immediately after successfully authenticating. Here you
don’t need specify the enable or secret password for access to privileged mode.
Note it’s also not necessary to define enable or secret password for telnet access.
If you do not want the console to prompt for a password then configure this: line con 0; no login (Cisco
default).
To enable AAA Authorization to use privilege levels, use the aaa authorization command followed by the
appropriate option.
The full command to use the TACACS+ server to assign privilege levels, followed by the local database, is
as follows:
Privilege levels can also be assigned via the router's local database. If you want to assign privilege levels
on an individual user basis, configure usernames and passwords and use the privilege number command
in the actual username/password command itself to give this privilege levels to some users but not all.
Example:
! You don’t need use the following command if aaa authorization exec default local was configured
int fa0/0
no shutdown
Let’s test this solution:
Username: juantron
Password: <juantron>
R1#sh privilege
R1#ping 192.168.2.1
!!!!!
R1#conf t