User Tools
tech:network:cisco:privilege-level-exec:privilege-level-exec
Table of Contents
Cisco privilege level, privilege exec configuration
Blueprint
- CCIE R&S
- Written v5.1
- 5.0 Infrastructure Security
- 5.1 Device security
- 5.1.d [ii] Local privilege authorization fallback
- Lab v5.0
- N/A
Cisco 1841 15.1(4)M10
Configuration
configure terminal ! username user1 secret snakeoil username user2 privilege 10 secret godisexist username user3 privilege 15 secret superman ! enable secret level 10 middle enable secret god ! interface FastEthernet 0/0 ip address 10.0.8.123 255.255.255.0 no shutdown ! privilege exec level 10 configure terminal privilege exec level 10 show running-config privilege exec level 10 show startup-config ! input later privilege exec level 1 show ! line vty 0 15 login local ! line console 0 login local ! end
Verification
++++ Console Log |
wnoguchi@kotone:~$ telnet 10.0.8.123
Trying 10.0.8.123...
Connected to 10.0.8.123.
Escape character is '^]'.
User Access Verification
Username: user1
Password:
% Login invalid
Username: user1
Password:
R1>en
Password:
Password:
Password:
% Bad secrets
R1>sh priv
^
% Invalid input detected at '^' marker.
R1>sh ?
% Unrecognized command
R1>en
Password:
R1#sh priv
Current privilege level is 15
R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#^Z
R1#logout
Connection closed by foreign host.
wnoguchi@kotone:~$ telnet 10.0.8.123
Trying 10.0.8.123...
Connected to 10.0.8.123.
Escape character is '^]'.
User Access Verification
Username: user1
Password:
R1>en 10
Password:
Password:
R1#sh priv
Current privilege level is 10
R1#sh ru
R1#sh running-config | i user
! Last configuration change at 05:12:06 UTC Sun Aug 18 2019 by user1
R1#sh running-config
Building configuration...
Current configuration : 122 bytes
!
! Last configuration change at 05:12:06 UTC Sun Aug 18 2019 by user1
boot-start-marker
boot-end-marker
!
!
!
!
!
!
end
R1#sh sta
R1#sh star
R1#sh startup-config
Using 974 out of 196600 bytes
!
! Last configuration change at 23:13:13 UTC Wed Aug 14 2019
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
dot11 syslog
ip source-route
!
!
!
!
!
ip cef
no ip domain lookup
no ipv6 cef
!
multilink bundle-name authenticated
!
crypto pki token default removal timeout 0
!
!
!
!
license udi pid CISCO1841 sn FHK1107102U
!
redundancy
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
ip address dhcp
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/0/0
no ip address
shutdown
no fair-queue
clock rate 2000000
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
!
!
!
!
!
!
!
control-plane
!
!
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
login
transport input all
!
scheduler allocate 20000 1000
end
R1#sh priv
Current privilege level is 10
R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#^Z
R1#en 15
Password:
R1#sh priv
Current privilege level is 15
R1#en
R1#sh run | i user
! Last configuration change at 05:14:12 UTC Sun Aug 18 2019 by user1
username user1 secret 5 $1$3uCj$mX0bA7ydlvu8hW4iIU47d.
username user2 privilege 10 secret 5 $1$ZRsH$6bnNLeYHu6UkaIaFMMf0n1
username user3 privilege 15 secret 5 $1$KNnH$J70NyIsXID5SozkHnYtWI.
R1#logout
Connection closed by foreign host.
wnoguchi@kotone:~$ telnet 10.0.8.123\
> ^C
wnoguchi@kotone:~$ telnet 10.0.8.123
Trying 10.0.8.123...
Connected to 10.0.8.123.
Escape character is '^]'.
User Access Verification
Username: user2
Password:
R1#sh priv
Current privilege level is 10
R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#privi
R1(config)#privil
R1(config)#priv
R1(config)#privi
R1(config)#privile
R1(config)#privile
R1(config)#priv?
% Unrecognized command
R1(config)#int f0/0
^
% Invalid input detected at '^' marker.
R1(config)#^Z
R1#enable
Password:
R1#sh priv
Current privilege level is 15
R1#disable
R1>logout
Connection closed by foreign host.
wnoguchi@kotone:~$ telnet 10.0.8.123
Trying 10.0.8.123...
Connected to 10.0.8.123.
Escape character is '^]'.
User Access Verification
Username: user3
Password:
R1#sh priv
Current privilege level is 15
R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#pri
R1(config)#privi
R1(config)#privilege exe le
R1(config)#privilege exec leve
R1(config)#privilege exec level 1 show
R1(config)#^Z
R1#logout
Connection closed by foreign host.
wnoguchi@kotone:~$ telnet 10.0.8.123
Trying 10.0.8.123...
Connected to 10.0.8.123.
Escape character is '^]'.
User Access Verification
Username: user1
Password:
R1>sh priv
Current privilege level is 1
R1>logout
Connection closed by foreign host.
wnoguchi@kotone:~$
R1>show privilege Current privilege level is 1 R1>enable R1#show privilege Current privilege level is 15 R1#
User Access Verification
Username: test02
Password:
R1#sh pri
R1#sh priv
R1#sh privilege
Current privilege level is 15
R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#pri
R1(config)#privi
R1(config)#privilege ?
RITE-profile Router IP traffic export profile command mode
RMI-Node-Config Resource Policy Node Config mode
RMI-Resource-Group Resource Group Config mode
RMI-Resource-Manager Resource Manager Config mode
RMI-Resource-Policy Resource Policy Config mode
SASL-profile SASL profile configuration mode
aaa-attr-list AAA attribute list config mode
aaa-user AAA user definition
accept-dialin VPDN group accept dialin configuration mode
accept-dialout VPDN group accept dialout configuration mode
acct_mlist AAA accounting methodlist definitions
address-family Address Family configuration mode
alps-ascu ALPS ASCU configuration mode
alps-circuit ALPS circuit configuration mode
archive Archive the router configuration mode
atm-vc-config ATM virtual circuit configuration mode
bba-group BBA Group configuration mode
bgp address-family Address Family configuration mode
boomerang Boomerang configuration mode
call-filter-matchlist Call Filter matchlist configuration mode
call-home call-home config mode
call-home-profile call-home profile config mode
cascustom Cas custom configuration mode
cfg-af-topo Configure non-base topology mode
cm-ac AC-AC connect configuration mode
cns-connect-config CNS Connect Info Mode
cns-connect-intf-config CNS Connect Intf Info Mode
cns-tmpl-connect-config CNS Template Connect Info Mode
cns_inventory_submode CNS Inventory SubMode
conf-attr-map LDAP attribute map config mode
conf-ldap-server LDAP server config mode
conf-ldap-sg LDAP server group config mode
conf-rad-server RADIUS server config mode
conf-tac-server Tacacs Server Definition
config-l2tp-class l2tp-class configuration mode
configure Global configuration mode
congestion Frame Relay congestion configuration mode
conn Connection configuration mode
control-class-map control-classmap config mode
controller Controller configuration mode
cpf-classmap Class-map configuration mode
cpf-policyclass Class-in-Policy configuration mode
cpf-policymap Policy-map configuration mode
crypto-identity Crypto identity config mode
crypto-ipsec-profile IPSec policy profile mode
crypto-keyring Crypto Keyring command mode
crypto-map Crypto map config mode
crypto-map-fail-close Crypto map fail close mode
crypto-transform Crypto transform config mode
cwmp CWMP configuration mode
dfp-submode DFP config mode
dhcp DHCP pool configuration mode
dhcp-class DHCP class configuration mode
dhcp-pool-class Per DHCP pool class configuration mode
dhcp-relay-info DHCP class relay agent info configuration
mode
dhcp-subnet-secondary Per DHCP secondary subnet configuration mode
dns-view DNS View configuration mode
dns-view-list DNS View-list configuration mode
dns-view-list-member DNS View-list member configuration mode
dot11qosclass Access class configuration mode
dot1x-credential-mode dot1x credential profile configuration mode
dynupd-http Dynamic DNS update HTTP configuration mode
dynupd-method Dynamic DNS update method configuration mode
ecfm Ethernet CFM configuration mode
ecfm_mep_int Ethernet CFM Interface MEP configuration mode
ecfm_srv Ethernet CFM Service configuration mode
eigrp_af_classic_submode Address Family configuration mode
Jump to privileged exec mode immediately
this is useful for verification use.
configure terminal ! interface FastEthernet 0/0 ip address 10.0.8.123 255.255.255.0 no shutdown ! line vty 0 15 login privilege level 15 password iamgod ! line console 0 login privilege level 15 password iamgod ! end
Verification
R1 con0 is now available Press RETURN to get started. User Access Verification Password: R1#sh priv Current privilege level is 15 R1#conf t Enter configuration commands, one per line. End with CNTL/Z. R1(config)#^Z R1#sh r *Aug 18 05:23:34.630: %SYS-5-CONFIG_I: Configured from console by console R1#sh run | i priv username user2 privilege 10 secret 5 $1$ZRsH$6bnNLeYHu6UkaIaFMMf0n1 username user3 privilege 15 secret 5 $1$KNnH$J70NyIsXID5SozkHnYtWI. privilege exec level 10 configure terminal privilege exec level 10 configure privilege exec level 10 show startup-config privilege exec level 10 show running-config privilege exec level 1 show privilege level 15 privilege level 15 privilege level 15 R1#
References
tech/network/cisco/privilege-level-exec/privilege-level-exec.txt · Last modified: 2019/08/18 14:24 by wnoguchi
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
