It is important to secure your Cisco devices by configuring and implementing username and password protection and assigning different Cisco privilege levels to control and restrict access to the CLI. Hence, protecting the devices from unauthorized access. In this article, we will discuss how to configure user accounts and how to associate them to the different Cisco privilege levels. Then, we’ll take a deep dive into their purposes and functions, as well as their importance in network security design.
Privilege Level Security
Cisco IOS devices use privilege levels for more granular security and Role-Based Access Control (RBAC) in addition to usernames and passwords. There are 16 privilege levels of admins access, 0-15, on the Cisco router or switch that you can configure to provide customized access control. With 0 being the least privileged and 15 being the most privileged. These are three privilege levels the Cisco IOS uses by default:
- Level 0 – Zero-level access only allows five commands- logout, enable, disable, help and exit.
- Level 1 – User-level access allows you to enter in User Exec mode that provides very limited read-only access to the router.
- Level 15 – Privilege level access allows you to enter in Privileged Exec mode and provides complete control over the router.
By default, Line level security has a privilege level of 1 (con, aux, and vty lines ).
Cisco Privilege Level Configuration
To assign the specific privilege levels, we include the privilege number when indicating the username and password of the user.
Router(config)#username admin1 privilege 0 secret Study-CCNA1 Router(config)#username admin2 privilege 15 secret Study-CCNA2 Router(config)#username admin3 secret Study-CCNA3
In this example, we assign user admin1 a privilege level of 0. Then, we assign user admin2 to privilege level 15, which is the highest level. For admin3, we did not specify any privilege level, but it will have a privilege level of 1 by default.
Let’s try to verify the output of our configuration by logging in to each user. Enter the username and the corresponding password, starting with admin1.
User Access Verification Username: admin1 Password: Router>? Exec commands: disable Turn off privileged commands enable Turn on privileged commands exit Exit from the EXEC help Description of the interactive help system logout Exit from the EXEC Router>
Notice in the output above that the user admin1 is under User Exec mode and has only five commands- logout, enable, disable, help, and exit. Now, let’s log in as admin2.
User Access Verification Username: admin2 Password: Router#show privilege current privilege level is 15 Router#
The output above shows that user admin2 is currently in level 15, and we verified that by typing the ‘show privilege’ command on the CLI. Notice also that we are in Privileged Exec mode. Lastly, let’s log in as admin3.
User Access Verification Username: admin3 Password: Router>show privilege current privilege level is 1 Router>
When we logged in as admin3, we verified that it was in level 1 by typing the ‘show privilege’ command on the CLI. Notice that we are in User Exec mode.
Privilege Levels 2-14
You can increase the security of your network by configuring additional privileges from 2 to 14 and associating them to usernames to provide customized access control. This is suitable when you are designing role-based access control for different users and allowing only certain commands for them to execute. Hence, giving them restrictions to unnecessary commands and increasing the layers of security on the device.
Let’s now assign privilege level 5 to a user. After that, we will configure privilege level 5 users to be in User Exec mode and allow them to use the ‘show running-config’ command.
Router(config)#username admin4 privilege 5 secret Study-CCNA4 Router(config)#privilege exec level 5 show running-config
All level 5 users now will be automatically accessing the User Exec mode and can now use the User Exec commands such as ‘show running-config’ on the CLI. Let’s log in as user admin4 to verify that.
User Access Verification Username: admin4 Password: Router#show running-config Building configuration... Current configuration : 57 bytes ! boot-start-marker boot-end-marker ! ! ! end Router#
Enable Secret Command Privilege
We can also configure different privilege levels to passwords. Here, we will allow the ‘enable secret’ command to access the Privileged Exec level. Use the ‘enable secret level {level} {password}’ syntax as shown below. The command sets the enable secret password for privilege level 5.
Router(config)#enable secret level 5 Study-CCNA5
We can verify our configuration as shown below:
User Access Verification Username: admin5 Password: Router>show running-config ^ % Invalid input detected at ‘^’ marker. Router>enable 5 Password: R4#show privilege Current privilege level is 5 Router#show running-config Building configuration... Current configuration : 57 bytes ! boot-start-marker boot-end-marker ! ! ! end Router#
In our first attempt, notice in the example above that we do not have access to the ‘show running-configuration’ command. That is because we are currently under privilege level 0. However, we can log in as a privilege level 5 user with the ‘enable {privilege level}’ command, and from there, we can now access the ‘show running-configuration’ command.
Download our Free CCNA Study Guide PDF for complete notes on all the CCNA 200-301 exam topics in one book.
We recommend the Cisco CCNA Gold Bootcamp as your main CCNA training course. It’s the highest rated Cisco course online with an average rating of 4.8 from over 30,000 public reviews and is the gold standard in CCNA training:
