Cisco Privilege Levels – Explanation and Configuration

It is important to secure your Cisco devices by configuring and implementing username and password protection and assigning different Cisco privilege levels to control and restrict access to the CLI. Hence, protecting the devices from unauthorized access. In this article, we will discuss how to configure user accounts and how to associate them to the different Cisco privilege levels. Then, we’ll take a deep dive into their purposes and functions, as well as their importance in network security design.

 

Privilege Level Security

Cisco IOS devices use privilege levels for more granular security and role-based access control in addition to usernames and passwords. There are 16 privilege levels of admins access, 0-15, on the Cisco router or switch that you can configure to provide customized access control. With 0 being the least privileged and 15 being the most privileged. These are three privilege levels the Cisco IOS uses by default:

  • Level 0 – Zero-level access only allows five commands- logout, enable, disable, help and exit.
  • Level 1 – User-level access allows you to enter in User Exec mode that provides very limited read-only access to the router.
  • Level 15 – Privilege level access allows you to enter in Privileged Exec mode and provides complete control over the router.

 

NOTE
By default, Line level security has a privilege level of 1 (con, aux, and vty lines ).

 

Cisco Privilege Level Configuration

To assign the specific privilege levels, we include the privilege number when indicating the username and password of the user.

Router(config)#username admin1 privilege 0 secret Study-CCNA1
Router(config)#username admin2 privilege 15 secret Study-CCNA2
Router(config)#username admin3 secret Study-CCNA3

 

In this example, we assign user admin1 a privilege level of 0. Then, we assign user admin2 to privilege level 15, which is the highest level. For admin3, we did not specify any privilege level, but it will have a privilege level of 1 by default.

Let’s try to verify the output of our configuration by logging in to each user. Enter the username and the corresponding password, starting with admin1.

User Access Verification

Username: admin1
Password:
Router>?
Exec commands:
disable  Turn off privileged commands
enable   Turn on privileged commands
exit     Exit from the EXEC
help     Description of the interactive help system
logout   Exit from the EXEC
 
Router>

 

Notice in the output above that the user admin1 is under User Exec mode and has only five commands- logout, enable, disable, help, and exit. Now, let’s log in as admin2.

User Access Verification

Username: admin2
Password:
Router#show privilege
current privilege level is 15

Router#

 

The output above shows that user admin2 is currently in level 15, and we verified that by typing the ‘show privilege’ command on the CLI. Notice also that we are in Privileged Exec mode. Lastly, let’s log in as admin3.

User Access Verification

Username: admin3
Password:
Router>show privilege
current privilege level is 1

Router>

 

When we logged in as admin3, we verified that it was in level 1 by typing the  ‘show privilege’ command on the CLI. Notice that we are in User Exec mode.

 

Privilege Levels 2-14

You can increase the security of your network by configuring additional privileges from 2 to 14 and associating them to usernames to provide customized access control. This is suitable when you are designing role-based access control for different users and allowing only certain commands for them to execute. Hence, giving them restrictions to unnecessary commands and increasing the layers of security on the device.

Let’s now assign privilege level 5 to a user. After that, we will configure privilege level 5 users to be in User Exec mode and allow them to use the ‘show running-config’ command.

Router(config)#username admin4 privilege 5 secret Study-CCNA4
Router(config)#privilege exec level 5 show running-config

 

All level 5 users now will be automatically accessing the User Exec mode and can now use the User Exec commands such as ‘show running-config’ on the CLI. Let’s log in as user admin4 to verify that.

User Access Verification

Username: admin4
Password:
Router#show running-config
Building configuration...
Current configuration : 57 bytes
!
boot-start-marker
boot-end-marker
!
!
!
end

Router#

 

Enable Secret Command Privilege

We can also configure different privilege levels to passwords. Here, we will allow the ‘enable secret’ command to access the Privileged Exec level. Use the ‘enable secret level {level} {password}’ syntax as shown below. The command sets the enable secret password for privilege level 5.

Router(config)#enable secret level 5 Study-CCNA5

 

We can verify our configuration as shown below:

User Access Verification
Username: admin5
Password:

Router>show running-config
^
% Invalid input detected at ‘^’ marker.

Router>enable 5
Password:
R4#show privilege
Current privilege level is 5

Router#show running-config
Building configuration...

Current configuration : 57 bytes
!
boot-start-marker
boot-end-marker
!
!
!
end

Router#

In our first attempt, notice in the example above that we do not have access to the ‘show running-configuration’ command. That is because we are currently under privilege level 0. However, we can log in as a privilege level 5 user with the ‘enable {privilege level}’ command, and from there, we can now access the ‘show running-configuration’ command.


Download our Free CCNA Study Guide PDF for complete notes on all the CCNA 200-301 exam topics in one book.

We recommend the Cisco CCNA Gold Bootcamp as your main CCNA training course. It’s the highest rated Cisco course online with an average rating of 4.8 from over 30,000 public reviews and is the gold standard in CCNA training: