Defining Per Port Privileges

Problem

You want to set the privilege level according to which port you use to access the router.

Solution

To configure the privilege level of a particular line, use the following configuration command:

Router1#configure terminal 
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#line aux 0
Router1(config-line)#privilege level 5
Router1(config-line)#exit
Router1(config)#privilege exec level 5 show ip route
Router1(config)#privilege exec level 1 show ip 
Router1(config)#privilege exec level 1 show 
Router1(config)#end
Router1#

 

Discussion

By default, every access line has a privilege level of 1. You can change the privilege level assigned to a particular line with the privilege level command. The following example shows what happens when we connect to the AUX port when it is configured with privilege level 5:

Press RETURN to get started.

Router1#show privilege
Current privilege level is 5
Router1#show ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
 D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
 N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
 i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
 * - candidate default, U - per-user static route, o - ODR
 P - periodic downloaded static route

Gateway of last resort is 172.22.1.3 to network 0.0.0.0

C 172.22.1.0 is directly connected, FastEthernet1/0
O*E1 0.0.0.0/0 [110/3] via 172.22.1.3, 1w2d, FastEthernet1/0
Router1#disable
Router1>show ip route
 ^
% Invalid input detected at '^' marker.
Router1>

You will notice that no username or password is needed to log in, and the privilege level defaults to 5. This permits us to issue a show ip route command. We have raised the privilege of this command to the same level, so it works. When we use the disable command to set the privilege level back to 1 and attempt to issue the show ip route command again, it fails.

Although we have just shown how to increase the privilege level of a router port, this command is more commonly used to lower the level to 0. Lowering the privilege level provides greater security on insecure lines and provides greater flexibility in restricting commands. For instance, you can use this method to restrict the commands available to a user connected on a particular port down to just Telnet, preventing all other commands. You can accomplish this by configuring a port to privilege level 0 and lowering the privilege level of the Telnet command to the same level. This is useful when the router is acting as a terminal server.

See Also

Recipe 3.21; Recipe 3.22






Cisco IOS Cookbook
Cisco IOS Cookbook (Cookbooks (OReilly))
ISBN: 0596527225
EAN: 2147483647
Year: 2004
Pages: 505
Simiral book on Amazon

Flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net