From: Danny.Wang@xxxxxxxxxxxxxx
Date: Fri Jul 12 2002 - 16:17:45 GMT-3
Set the Privilege Level for a Command
To set the privilege level for a command, use the following commands in
global configuration mode:
|-----------+-------------------------------------------+----------------------
---------------|
| | |
|
| Step | Command | Purpose
|
| | |
|
|-----------+-------------------------------------------+----------------------
---------------|
| | |
|
| 1. | privilege mode level level command | Set the privilege le
vel for a |
| | | command.
|
| | |
|
|-----------+-------------------------------------------+----------------------
---------------|
| | |
|
| 2. | enable password level level [ | Specify the enable p
assword for a |
| | encryption-type] password | privilege level.
|
| | |
|
|-----------+-------------------------------------------+----------------------
---------------|
Change the Default Privilege Level for Lines
To change the default privilege level for a given line or a group of lines,
use the following command in line configuration mode:
|--------------------+-------------------------------------|
| | |
| Command | Purpose |
| | |
|--------------------+-------------------------------------|
| | |
| privilege level | Specify a default privilege level |
| level | for a line. |
| | |
|--------------------+-------------------------------------|
Display Current Privilege Levels
To display the current privilege level you can access based on the password
you used, use the following command in EXEC mode:
|---------------+--------------------------------|
| | |
| Command | Purpose |
| | |
|---------------+--------------------------------|
| | |
| show | Display your current |
| privilege | privilege level. |
| | |
|---------------+--------------------------------|
Log In to a Privilege Level
To log in to a router at a specified privilege level, use the following
command in EXEC mode:
|--------------+--------------------------------|
| | |
| Command | Purpose |
| | |
|--------------+--------------------------------|
| | |
| enable | Log in to a specified |
| level | privilege level. |
| | |
|--------------+--------------------------------|
To exit to a specified privilege level, use the following command in EXEC
mode:
|--------------+------------------------------|
| | |
| Command | Purpose |
| | |
|--------------+------------------------------|
| | |
| disable | Exit to a specified |
| level | privilege level. |
| | |
|--------------+------------------------------|
Multiple Levels of Privileges Examples
This section provides examples of using multiple privilege levels to
specify who can access different sets of commands.
Allow Users to Clear Lines Examples
If you want to allow users to clear lines, you can do either of the
following:
Change the privilege level for the clear and clear line commands to 1
or "ordinary user level," as follows. This allows any user to clear
lines.
privilege exec level 1 clear line
Change the privilege level for the clear and clear line commands to
level 2. To do so, use the privilege level global configuration
command to specify privilege level 2. Then define an enable password
for privilege level 2 and tell only those users who need to know what
the password is.
enable password level 2 pswd2
privilege exec level 2 clear line
Define an Enable Password for System Operators Examples
In the following example, you define an enable password for privilege level
10 for system operators and make clear and debug commands available to
anyone with that privilege level enabled.
enable password level 10 pswd10
privilege exec level 10 clear line
privilege exec level 10 debug ppp chap
privilege exec level 10 debug ppp error
privilege exec level 10 debug ppp negotiation
The following example lowers the privilege level of the more
system:running-config command and most configuration commands to operator
level so that the configuration can be viewed by an operator. It leaves the
privilege level of the configure command at 15. Individual configuration
commands are displayed in the more system:running-config output only if the
privilege level for a command has been lowered to 10. Users are allowed to
see only those commands that have a privilege level less than or equal to
their current privilege level.
enable password level 15 pswd15
privilege exec level 15 configure
enable password level 10 pswd10
privilege exec level 10 more system:running-config
Paul
<p_chopin@yahoo.c To: ccielab@groupstudy.com
om> cc:
Sent by: Subject: Priviledge levels comm
ands
nobody@groupstudy
.com
07/12/2002 10:57
AM
Please respond to
Paul
Hi guys,
I'm doing an ASET Lab, and run into some problems. The
commands I'm using don't work as they supposed to.
What I am asked to do is to configure AAA and create 2
different users (user1 and user2) with privilege level
6 and 3.
User1 (level 6) should be able to disconnect existing
session to the router, perform deb ip pack and see ip
routing table.
User2 (level 3) should be able to check who is
curently logon into router,but he should not be able
to deb ip packets or see the routing table.
Does anybody know how to do it?How to confine user to
specific set of commands. I think I'm missing some
important commands.
Is this enough:
privilege exec level 6 show ip route
privilege exec level 6 deb ip packet
privilege exec level 1 show ip
privilege exec level 1 deb
Thanks
Paul
This archive was generated by hypermail 2.1.4 : Sat Sep 07 2002 - 19:36:27 GMT-3