o Privilege levels define what commands a user can actually run on a router.
o There are three predefined privilege levels in Cisco routers 0, 1 and 15.
o Cisco IOS router supports 16 different privilege levels from 0 to 15.
o Cisco IOS supports to define multiple privilege levels for different accounts.
o This could be useful when many people work on the same router or switch.
o However, with different roles such as operator, technician, or network manager.
o If there is no time to implement an authentication server for router or switch.
o Higher privilege levels will support all the commands of the lower privilege levels.
o For example, privilege level 8 will include all the commands of level 0 – 7.
o Privilege level 15 will have all the commands of level 0 – 14 and so on.
o First, understand IOS two modes. Exec Mode and Configuration Mode.
o Exec mode is Router# and configuration mode looks like this: Router (config) #.
o Each “mode” also has different “Sub-Modes” like the interface configuration.
Levels Description
Level 0 Predefined for user-level access privileges.
Five commands includes disable, enable, exit, help, and logout.
Level 1 Level 1 is the default exec user level.
You can use show commands but will not be able to configure anything.
Level 2 - 14 Level2 to 14 can be customized for user-level privileges.
Level 15 Highest privilege level, also known as “Enable Mode” or “Privileged Mode“.
Root View:
o Root view has the same access privilege level, as user who has level 15.
o Admin should be in root view to added, edited or deleted in root view.
Super View:
o A super view consists of two or more CLI views.
o Superview provide the ability to combine difference view modes.
o A network administrator can assign a user or group of users a superview.
o Super view access all the commands, which are being provided in other views.
Configuring RBAC R1
Commands Descriptions
R1(config)#aaa new-mode To define views, AAA must be enabled
R1(config)#enable secret 123 To define views, enable password
R1#enable view Enter and Enable Root View
R1(config)#parser view itsupport Create view named itsupport
R1(config-view)#secret 111 Assign password to view itsupport
R1(config-view)#commands exec include all show Assign commands to view itsupport
R1(config-view)#commands exec include all config Assign more commands to itsupport
terminal view
R1(config-view)#commands exec include all debug Assign debug commands to view
R1#enable view itsupport Verify created view itsupport
R1(config)#username user1 view itsupport secret Assign view to user named user1
111 password 111
R1#show parser view View current view
privilege [show | clear | cmd] level level [mode {enable | cmd}] command command
Commands Description
Show | Optional keywords set privilege only for the show, clear, or configure form of
clear| cmd the command. CMD is for configure.
level ,level A level between 0 and 15.
Mode Enable—Specifies both user EXEC mode and privileged EXEC mode.
{enable| Configure—Specifies configuration mode, accessed using the configure
configure} terminal command.
Command, Type the command you want to configuring.
command
Go to Device Management.
Click on AAA Access > Configure the type of access (choose LOCAL).