Is there any documentation that list the privilege levels and their associated commands.
I would like to know what privilege level 14 can and can’t do. I know level 15 does everything, but how about other privilege levels? What commands are they able to execute by default and what commands are they not able to execute by default? I would like to know what commands each privilege level is able to execute by default - from privilege level 0 to privilege level 14.
By default, Cisco has 3 privilege enabled. The 3 privileges are:
privilege level 0 — Includes the disable, enable, exit, help, and logout commands.
privilege level 1 — Normal level on Telnet; includes all user-level commands at the router> prompt.
privilege level 15 — Includes all enable-level commands at the router# prompt.
Since Cisco IOS Release 10.3, Cisco routers enable an administrator to configure multiple privilege levels. Configuring privilege levels is especially useful in a help desk environment where certain administrators must be able to configure and monitor every part of the router (level 15), and other administrators need only to monitor, not configure, the router (customized levels 2 to 14).
So as an answer to your question: the commands list per privilege level from 2 to 14 is defined by the administrator.
An administrator can define multiple customized privilege levels and assign different commands to each level. The higher the privilege level, the more router access a user has. Commands that are available at lower privilege levels are also executable at higher levels, because a privilege level includes the privileges of all lower levels. For example, a user authorized for privilege level 10 is granted access to commands allowed at privilege levels 0 through 10 (if also defined). A privilege-level-10 user cannot access commands granted to privilege level 11 (or higher). A user authorized for privilege level 15 can execute all Cisco IOS commands.
I read in Cisco documentation that privilege interface level 8 no shutdown will set both no and shutdown to privilege level 8.
If by mistake I enter after that privilege interface level 9 no, will this command make my no shutdown unusable in privilege level 8?
Second question, in the lesson example you used local username. If I want to use AAA server, is TACACS+ mandatory or can I use RADIUS?
I labbed this up to be sure. Initially, I issued the privilege interface level 8 no shutdown command. I then took a look at the running config and found this:
privilege interface level 8 shutdown
privilege interface level 8 no shutdown
privilege interface level 8 no
So by default, the full command as well as each individual keyword is added as a separate command
I then proceeded with the privilege interface level 9 no command and got this result in the running config:
privilege interface level 8 shutdown
privilege interface level 8 no shutdown
privilege interface level 9 no
Notice that the no shutdown command as a whole is still level 8, but the no command alone is level 9. Even so, this no keyword will make the no shutdown command unavailable for a user on privilege level 8.
You can use either TACACS+ or RADIUS for your AAA server. You can find out more about how to do this at the following lesson:
This configuration in the lesson is performed on a Cisco IOS router. However, the configuration of AAA local command authorization is very similar on a switch. The following configuration guide for example, shows how to apply this to a Cisco 3850 switch.
The privilege exec level x cmd command is for configuring the exec modes while privilege configure allows the user to access a certain configuration mode, like the interface for example?
And please, why doesn’t this work? I am running this router in Cisco CML.
You are correct on your first point. The privilege exec level x cmd command is used to set the minimum privilege level required to execute a command in exec mode. On the other hand, ‘privilege configure’ is used to set the minimum privilege level required to execute a command in configuration mode.
Now the behavior of your scenario is quite interesting. I recreated it in the lab and confirmed this behavior. The command show running-config is indeed allowed, and you can see this because you don’t have an error message stating % Invalid input detected at '^' marker. The command has run successfully, so your privilege configuration is correct.
The reason you see no output is that while the command is recognized (and not invalid), the device’s security settings prevent the display of configuration details at that current privilege level. It’s a security measure to prevent unauthorized viewing of sensitive configuration details. So the privilege level doesn’t have the necessary rights to output the config file info on the screen.
I did some further experimentation and found that even privilege level 14 does not display the running configuration information on the screen. Only level 15.
