Changing CLI Command Privileges
You can change the privilege level of most commands by using the privilege command that is available in Global Configuration mode. To use this command, you must enable your CLI session to privilege level 15.
privilege
host1(config)#privilege exec level 12 terminal width
host1(config)#privilege exec all level 5 terminal
 |
NOTE: You must access the CLI at privilege level 15 to view or use this command. |
CLI Command Exceptions
Changing command privilege levels can be a powerful security tool. However, changing the command privilege for some commands could render the CLI unusable and require you to reboot the router. To eliminate this possibility, the CLI does not allow you to remap the following commands:
CLI Keyword Mapping
You cannot change the privilege level of keywords that are separated from the command string by a parameter in the command sequence. In other words, once the privilege algorithm reaches a parameter, the privilege algorithm that maps the commands to the desired privilege level stops and allows any keyword options that may follow in the command sequence. The algorithm then waits for a carriage return before looking at the next command sequence.
For example, you can change the command privilege level for the telnet command. However, because the telnet command is immediately followed by a variable (that is, a hostname or IP address) and not a keyword, you cannot change the privilege level for any keywords that follow the command.
host1#telnet ?
HOSTNAME or A.B.C.D The ip address of the remote system
host1#telnet router2 ?
<0 - 65535> The port on which to send the request
bgp Border Gateway Protocol (179)
chargen Character generator (19)
cmd Remote commands (rcmd, 514)
.
.
.
Setting Privileges for Ambiguous Commands
The privilege command allows you to set command privilege levels for parts of commands that the CLI would normally consider ambiguous. In other words, you can set privilege levels by specifying letters that represent only the beginning part of a command or group of commands (even the first letter of a command or group of commands).
The following example sets the privilege level to 12 for any Exec mode (user or privileged) command that start with the letter "t":
host1(config)#privilege exec level 12 t
The list of affected commands includes telnet, terminal, test, and traceroute.
The following example changes all of the above commands, with the exception of the traceroute command, to level 15:
host1(config)#privilege exec level 15 te
The following example changes all commands that start with the letters "te" (for example, telnet, terminal, and test) and any second keyword that starts with the letter "i" and follows a command that starts with the letters "te" (for example, the keyword "ip" in the command test ip) to level 1:
host1(config)#privilege exec level 1 te i
When you enter an ambiguous command and an exact match of the command is found, partial matches are ignored and are not modified.
For example, the traffic-class and traffic-class-group commands are available in Global Configuration mode. If you issue the privilege configure level 5 traffic-class command, an exact match is made to traffic-class, and traffic-class-group is not modified.
If you want to set the privilege level for both traffic-class and traffic-class-group and you do not want the exact match to be made to traffic-class, issue a partial command such as traffic-c. The privilege level of all commands that begin with traffic-c is modified.
Setting Privilege Levels for no or default Versions
The privilege command allows you to set command privilege levels for no and default versions of commands. However, setting the privilege level for either the no or default versions of a command does not set the privilege level of the affirmative version of the command. This means that you can have the no or default version of a command at a different privilege level than its affirmative version
.
Setting Privilege Levels for Multiple Commands
The all keyword is a wildcard parameter that enables you to set privilege levels for multiple commands rather than setting them individually.
Setting Privilege Levels for All Commands in a Mode
You can set the privilege level for all commands within a specified mode. This setting includes all commands in modes that you can access from a specified mode.
If the command specified in the privilege command changes the configuration mode, all commands in the configuration will also be set to the specified privilege level. For more information about accessing modes, see Accessing Command Modes.
For example, issuing the configure command in Privileged Exec mode changes the configuration mode to Global Configuration. If you issue the privilege exec all level 5 configure command, all commands in Global Configuration mode become accessible to users who have CLI privileges at level 5 and higher. For more information about user privilege levels, see Privileged-Level Access.
Setting Privilege Levels for a Group of Commands
You can set the privilege level for a group of commands by using the beginning keyword in a command.
For example, if you issue the privilege configure all level 5 snmp command, all commands in Global Configuration mode that begin with snmp become accessible to users who have CLI privileges at level 5 and higher.
Using the Order of Precedence
The effectiveness of a privilege level that is set with the all keyword depends on its precedence level in the CLI. A privilege level is considered to be in effect only if a privilege level that is configured at a higher precedence level does not override it.
The CLI uses the following order of precedence:
- Privilege level set for all commands within a mode, including modes that are accessed from another mode; for example, Global Configuration mode
- Privilege level set for all commands that begin with the same keyword; for example, snmp commands
- Privilege level set for individual commands; for example, snmp-server community
NOTE: This order of precedence does not apply to privilege levels that are set without the all keyword.
In the following example, the privilege level of the snmp-server community command is set to level 11, the privilege level for all commands that begin with snmp is set to level 10, and the privilege level for all commands in Global Configuration mode is set to level 5.
host1(config)#privilege configure level 11 snmp-server community
host1(config)#privilege configure all level 10 snmp
host1(config)#privilege exec all level 5 configure
The following show configuration output displays the privilege levels set above. The privilege levels for the snmp-server community command and the snmp-server group of commands are still present in the output. However, the privilege level of Global Configuration mode takes precedence, and the privilege levels of the other commands are rendered ineffective. Users can access all snmp commands at level 5 or higher.
host1#show config category management cli command-privileges
privilege configure level 11 snmp-server community
privilege configure all level 10 snmp-server
privilege exec all level 5 configure
Superseding Privilege Levels with the all Keyword
Issuing the all keyword supersedes privilege levels that were previously set without the all keyword.
In the following example, the snmp-server-community command is set to level 7, and the snmp keyword is set to level 6. The privilege level of the snmp keyword does not override the snmp-server community setting, because both of these commands are set without the all keyword.
host1(config)#privilege configure level 7 snmp-server community
host1(config)#privilege configure level 6 snmp
All snmp commands are then changed to level 5 with the all keyword.
host1(config)#privilege configure all level 5 snmp
The show configuration output displays all snmp commands at level 5, superseding the existing level 6 setting. The snmp-server community command is still present in the show configuration output, but it is ineffective.
host1#show config category management cli command-privileges
privilege configure level 7 snmp-server community
privilege configure all level 5 snmp-server
Removing the all Keyword
Using the no version or reset version removes the all keyword and restores default privilege levels.
If the privilege setting of the mode or command for which you are restoring default privilege levels takes precedence over any ineffective privilege settings, those settings will automatically take effect according to the order of precedence (see Using the Order of Precedence).
The difference between the no version and the reset version is that the reset version removes the configuration from the show configuration output. This is useful when you want to remove a configuration that has been overridden and rendered ineffective by a privilege level that takes precedence.
Setting Default Line Privilege
The factory default privilege level for the console line and all vty lines is 1. However, you can use the privilege level command in Line Configuration mode to set the default login privilege for the console line or any number of vty lines.
To change the default privilege level:
- Access line configuration mode on the router for the console.
host1(config)#line console 0
host1(config-line)#
host1(config)#line vty 0 12
host1(config-line)#
|
The default privilege level for the specified line (or lines) changes. The new values take effect immediately for any new users. If using the console line, you must exit out of the CLI and reestablish a connection before the default takes effect.
|
NOTE: If validating through RADIUS or TACACS+, and the server specifies an enable level, that enable level takes precedence over the line privilege level. |
privilege level
host1(config-line)#privilege level 5
|
NOTE: You must access the CLI at privilege level 15 to view or use this command. |
Viewing CLI Privilege Information
You can view CLI privilege information for yourself (the current user), all connected users on the router, or for any modified CLI commands.
Viewing the Current User Privilege Level
Use the show privilege command to view your current privilege level.
show privilege
host1#show privilege
Privilege level is 10
Viewing Privilege Levels for All Connected Users
Use the show users detail command to view the privilege levels for all users currently connected to the router. See Monitoring the FTP Server for information about the show users detail command.
Viewing Privilege Levels for Changed CLI Commands
Use the show configuration command to view the changed privilege levels for any modified CLI commands. See Saving the Current Configuration for information about the show configuration command.