Multiple Privilege Levels:

o Privilege levels define what commands a user can actually run on a router.
o There are three predefined privilege levels in Cisco routers 0, 1 and 15.
o Cisco IOS router supports 16 different privilege levels from 0 to 15.
o Cisco IOS supports to define multiple privilege levels for different accounts.
o This could be useful when many people work on the same router or switch.
o However, with different roles such as operator, technician, or network manager.
o If there is no time to implement an authentication server for router or switch.
o Higher privilege levels will support all the commands of the lower privilege levels.
o For example, privilege level 8 will include all the commands of level 0 – 7.
o Privilege level 15 will have all the commands of level 0 – 14 and so on.
o First, understand IOS two modes. Exec Mode and Configuration Mode.
o Exec mode is Router# and configuration mode looks like this: Router (config) #.
o Each “mode” also has different “Sub-Modes” like the interface configuration.
Levels Description
Level 0 Predefined for user-level access privileges.
Five commands includes disable, enable, exit, help, and logout.
Level 1 Level 1 is the default exec user level.
You can use show commands but will not be able to configure anything.
Level 2 - 14 Level2 to 14 can be customized for user-level privileges.
Level 15 Highest privilege level, also known as “Enable Mode” or “Privileged Mode“.

Set Multiple Privilege Levels

Commands Description
R1>enable 0 Enable level 0
Level 0 has predefined Only run disable, enable, exit & logout
R1>enable 1 Enable level 1
Level 1 has also predefined Level 1 is predefined
R1>show privilege Current privilege level is 1
R1>enable Enter enable mode
R1# show privilege Current privilege level is 15
R1(config)#privilege exec level 3 show Give privilege level 3 users the to use the show
running-config running-configuration command
R1>show running-config Checked its working

User Name Password Available Commands

U2 222 Show interface f0/0, show ip int brief, ping and traceroute
U3 333 Assign an IP address & shut and no shut the interface
Admin Admin All levels and commands

1 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com , Mobile: 056 430 3717

 Set Multiple Privilege Levels
R1(config)#username U2 privilege 2 password 222
R1(config)#enable secret level 2 222
R1(config)#username U3 privilege 3 password 333
R1(config)#enable secret level 3 333
R1(config)#username admin privilege 15 password admin
R1(config)#enable secret level 15 admin
R1(config)#line console 0
R1(config‐line)#login local
R1(config)#line vty 0 4
R1(config‐line)#login local
R1(config)#privilege EXEC level 2 Show interface F0/0
R1(config)#privilege EXEC level 2 Show ip int brie
R1(config)#privilege EXEC level 2 ping
R1(config)#privilege EXEC level 2 Traceroute
R1(config)#privilege EXEC level 3 configure terminal
R1(config)#privilege CONFIGURE level 3 interface
R1(config)#privilege INTERFACE level 3 shutdown
R1(config)#privilege INTERFACE level 3 ip address

Disadvantages of Privilege Level:

o Inheritance, a user of higher privilege level can access lower privilege level commands.
o Not scalable have to create privilege in every single device.

2 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com , Mobile: 056 430 3717

3 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com , Mobile: 056 430 3717
Cisco IOS Role-Based CLI Access:
o RBAC stands for Role-Based Access Control.
o A Role in IOS is called a View and since views control which commands are available.
o Network admin can implement Role-Based CLI Access simply called as RBAC.
o Role Based CLI access enable admin to create different views for different users.
o Each view defines set of the commands that a user can access.
o Access that is granted within one view is separate from other views.
o Admin can limit what commands a user can see or run on the Cisco Routers.
o To Implement Role-Based Access Control, using Parser Views.
o Network Admin create CLI Parser Views add Role Based commands to Parser View.
o CLI Parser View are tied to user when user login get only that configured commands.
o Pre-requisites for creating Parser Views are device IOS must support Parser Views.
o Enable Secret Password must be configured on the device.
o AAA must be enabled on the router using Cisco IOS "aaa new-model" command.

Root View:
o Root view has the same access privilege level, as user who has level 15.
o Admin should be in root view to added, edited or deleted in root view.
Super View:
o A super view consists of two or more CLI views.
o Superview provide the ability to combine difference view modes.
o A network administrator can assign a user or group of users a superview.
o Super view access all the commands, which are being provided in other views.

4 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com , Mobile: 056 430 3717

 User Name Password View Commands
User1 111 ITSUPPORT All show, Debug & Configure
User2 222 ITADMIN Show, Show version, Show IP
Admin Admin ADMIN Both ITSUPPORT & ITADMIN

Configuring RBAC R1
Commands Descriptions
R1(config)#aaa new-mode To define views, AAA must be enabled
R1(config)#enable secret 123 To define views, enable password
R1#enable view Enter and Enable Root View
R1(config)#parser view itsupport Create view named itsupport
R1(config-view)#secret 111 Assign password to view itsupport
R1(config-view)#commands exec include all show Assign commands to view itsupport
R1(config-view)#commands exec include all config Assign more commands to itsupport
terminal view
R1(config-view)#commands exec include all debug Assign debug commands to view
R1#enable view itsupport Verify created view itsupport
R1(config)#username user1 view itsupport secret Assign view to user named user1
111 password 111
R1#show parser view View current view

R1#enable view Enter and Enable Root View

R1(config)#parser view itadmin
R1(config-view)#secret 222
R1(config-view)#commands exec include show
R1(config-view)#commands exec include all show
version
R1(config-view)#commands exec include all show
ip
R1#enable view itadmin
R1(config)#username user2 view itsupport secret
222
Create view named itadmin
Assign password to view itadmin
Assign commands to view itadmin
Assign more commands to itadmin view
Assign show ip commands to view
Verify created view itadmin
Assign view to user named user2
password 222

R1#enable view Enable Root View

R1(config)#parser view admin superview Create admin superview
R1(config-view)#secret admin Set password on superview admin
R1(config-view)#view itsupport Add view to superview
R1(config-view)#view itadmin Add more view to superview

5 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com , Mobile: 056 430 3717

Privilege Levels in ASA:

privilege [show | clear | cmd] level level [mode {enable | cmd}] command command
Commands Description
Show | Optional keywords set privilege only for the show, clear, or configure form of
clear| cmd the command. CMD is for configure.
level ,level A level between 0 and 15.
Mode Enable—Specifies both user EXEC mode and privileged EXEC mode.
{enable| Configure—Specifies configuration mode, accessed using the configure
configure} terminal command.
Command, Type the command you want to configuring.
command

User Name Password Level Available Commands

User1 111 5 show, ping and traceroute
User2 222 6 Assign an IP address & shut and no shut the interface
Admin Admin 15 All levels and commands

Creating Users in ASA

ASA(config)# username user1 password 111 privilege 5
ASA(config)# username user2 password 222 privilege 6
ASA(config)# username admin password admin privilege 15

Set Privilege Levels for Users

ASA(config)# privilege level 5 mode exec command show
ASA(config)# privilege level 5 mode exec command ping
ASA(config)# privilege level 5 mode exec command traceroute
ASA(config)# privilege level 6 command configure
ASA(config)# privilege level 6 mode configure command interface
ASA(config)# privilege level 6 mode interface command IP
ASA(config)# privilege level 6 mode interface command no
ASA(config)# privilege level 6 mode interface command shutdown
ASA(config)# privilege level 6 mode interface command nameif

Enable Authorization and Authentication

ASA(config)# aaa authorization command LOCAL
ASA(config)# aaa authentication enable console LOCAL
ASA(config)# aaa authentication ssh console LOCAL
ASA(config)# aaa authentication telnet console LOCAL
ASA(config)# aaa authentication http console LOCAL
Configure Telnet for Checking
ASA(config)# telnet 0.0.0.0 0.0.0.0 IN

6 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com , Mobile: 056 430 3717

 Verification Commands
ASA(config)# show running-config all privilege all
ASA(config)#show running-config privilege level 5
ASA(config)# show running-config privilege level 6
ASA(config)# sh curpriv

User1 is not allowed to enter configure terminal mode.

User2 is allowed to enter configure terminal mode.

7 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com , Mobile: 056 430 3717

Setup privileges via ASDM:

Go the Configuration button and click on it.

Go to Device Management.

Click on the + sign for Users/AAA.

Click on AAA Access > Configure the type of access (choose LOCAL).

8 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com , Mobile: 056 430 3717

Click on Authorization. Enable Server group (LOCAL). Set the ASDM Defined User Roles.
Enable the Perform authorization for exec shell access > to Local Server

Go to User Accounts and click on Add.

Create a new user. Give the user a username and a password.

Go to Access Restriction. Choose which Privilege level the user could get. Select 5 (Read Only)
After this click on OK and save the configuration of the ASA. Next time that the user with the
read only rights logon to the device. The user can only read the configuration and not change it
anything.

9 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com , Mobile: 056 430 3717

10 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com , Mobile: 056 430 3717