UNDERSTANDING PRIVILEGE LEVELS
A privilege level is a number in the range 0 to 15, inclusive, with 0 being the lowest. It is assigned to a
user session and used to determine access to CLI commands: Only commands at the same or lower
privilege level can be accessed.
Each user on the device has a default privilege level which is copied to the session’s privilege level at log
in. It is, however, possible for the user to change the session privilege level by executing the ‘enable’ or
‘disable’ commands. This can be used, for example, as follows:
The user account is configured with privilege level 0.
Whenever the user needs to perform higher-privileged commands, the user changes session
priority level, executes the necessary commands, and then reverts back to the default priority
level.
Access to higher priority levels must be password-protected by using the ‘enable password’ or ‘enable
secret’ global configuration commands. The main difference between the two is whether passwords are
displayed in clear text or encrypted form in running-config (and, consequently, startup-config).
Password input can also be in encrypted or clear text form. The latter is used when an operator inputs a
new password, as the operator will usually not know the encrypted form of the password.
The admin user is by default at level 15, i.e., at the highest possible privilege level.
Example: Configuring Privilege Level Passwords
The following example configures a level 15 password using ‘enable secret’, inspects the resulting
configuration, then removes it again.
SWI2210-XXXX# configure terminal
! A secret can either be input in clear text or encrypted form; a digit indicates
! which kind follows on the command line:
SWI2210-XXXX(config)# enable secret ?
0 Specifies an UNENCRYPTED password will follow
5 Specifies an ENCRYPTED secret will follow
! In this case: Unencrypted. Then follows either the level for which a password
! is being configured, or, if no level is given, the password for level 15:
SWI2210-XXXX(config)# enable secret 0 ?
<word32> Password
level Set exec level password
! The following two commands are equivalent:
SWI2210-XXXX(config)# enable secret 0 my-secret
SWI2210-XXXX(config)# enable secret 0 level 15 my-secret
! The running configuration can be inspected to see the encrypted form:
SWI2210-XXXX(config)# do show running-config | include enable
enable secret 5 level 15 D29441BF847EA2DD5442EA9B1E40D4ED
! To remove the password, use the ‘no’ form (the two first two commands are
! equivalent for level 15):
SWI2210-XXXX(config)# no enable secret
SWI2210-XXXX(config)# no enable secret level 15
SWI2210-XXXX(config)# do show running-config | include enable
SWI2210-XXXX(config)#
To Next Page
Loading...
Need help?
General
