Question about locally define user privilege levels on IOS devices?

Discussion in 'Cisco' started by John Heitmuller, Aug 7, 2008.

  1. On an Cisco IOS 12.4 lab router I have defined two users.

    R1(config)#username admin privilege 15 secret cisco
    R1(config)#username john secret cisco

    When I login as admin and run the sh priv command a 15 is returned, no
    surprise. If I login as John and run the sh priv command a 15 is also
    returned, I was surprised.

    Am I interpreting this correctly? If you do not assign a privilege
    level to a username then that user operates at the default privilege
    level. If you are in enable mode that level is 15. So, by not
    defining a privilege level you are in affect granting level 15 access.

    Thanks,
    John
     
    John Heitmuller, Aug 7, 2008
    #1
    1. Advertisements


  2. Hi John

    By default a user logged in is in priv level 1. If user is in enable mode priv
    level is 15, no matter which priv level is assigned to user.

    The part privilege 15 in username command defines to which level a user is set
    on login.

    If a non-privileged user uses enable and enters password correctly he goes to
    enable mode which means level 15.

    One of mine outputs:

    username fote98 access-class 90 privilege 15 secret xxxx
    username claudia password xxxy

    User 1
    ------------------------------------
    login as: claudia
    Sent username "claudia"
    claudia@192.168.0.1's password:

    C876W>sh privi
    Current privilege level is 1
    C876W>en
    Password:
    C876W#sh priv
    Current privilege level is 15
    C876W#disable
    C876W>sh priv
    Current privilege level is 1
    C876W>

    User 2
    ------------------------------------
    login as: fote98
    Sent username "fote98"
    fote98@192.168.0.1's password:

    C876W#sh priv
    Current privilege level is 15
    C876W#disable
    C876W>sh priv
    Current privilege level is 1
    C876W>en
    Password:
    C876W#sh priv
    Current privilege level is 15
    C876W#


    HTH

    Andre
     
    Andre Wisniewski, Aug 7, 2008
    #2
    1. Advertisements


  3. These aren't the config lines doing that for you then.

    Look in your line vty section for the command that is setting your
    default privledge level for all incoming connections.

    If your default priv level is the IOS default of 1, then your username
    login privleged level will override that. But if the line already sets
    priv level 15 when the user comes in, they'll get the over-ridden default..
     
    Doug McIntyre, Aug 7, 2008
    #3
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.