Configure Multiple Privilege Access Levels on Cisco IOS

Cisco IOS permits to configure multiple privilege access levels for different accounts. This is very useful when many people work on the same router or switch, but with different access levels and there is no time to implement an authentication server.

Cisco IOS supports 16 different privilege levels from 0 through 15. Level 0 is user mode. Level 15 is the privileged mode. Level 1 through 14 is available for customization and use. By default, any user who can furnish the user-level password or user name/password combination can gain User exec mode access to the device, which is privilege level 1. From there, if the user knows the enable secret password, they can access the Privilege exec mode, or privilege level 15. The three predefined privilege levels on Cisco devices include the following:

  • Level 1 is User exec mode only (prompt is router>), the default level for login
  • Level 15 is Privileged exec mode (prompt is router#), the Enable mode
  • Level 0 Seldom used, but includes five commands: disable, enable, exit, help, and logout and these commands can be executed at any level.

Check Current Privilege Access Level on Cisco Router

To check current privilege level, type the show privilege command. It would look like this in Privilege mode:

Cisco_Router#show privilege
Current privilege level is 15

Configure Multiple Privilege Access Levels on Cisco Router

Privilege levels 2 through 14 can be defined by the admin to provide limited features to some users by assigning specific commands to the level using the privilege command.

The syntax is

Cisco_Router(config)#privilege <mode> level <level> <command>
Cisco_Router(config)#enable secret level <level> <password>

The privilege command is used to add authorized IOS commands to each customized levels. The enable secret command defines the secret password needed to access this particular privilege level. The options for these commands are:

  • mode: Indicates the configuration level being assigned. This includes all router configuration modes, including exec, configure, and interface.
  • level: it defines the privilege level  between 1 and 14
  • command: it is a specific IOS command in the specified mode that is included in this privilege level
  • password: it is the password associated to the level

An example of privilege level configuration:

Cisco_Router(config)#privilege interface level 2 ip address
Cisco_Router(config)#privilege configure level 2 interface
Cisco_Router(config)#privilege exec level 2 configure terminal
Cisco_Router(config)#privilege exec level 2 show interfaces
Cisco_Router(config)#privilege exec level 2 show running-config
Cisco_Router(config)#enable secret level 2 C!sc0Con$0le

The following lines show how the new privilege level would be accessed and a confirmation of the new level:

Cisco_Router>enable 2
Cisco_Router#show privilege
Current privilege level is 2

This Privilege Level permits the below configuration:
Access configuration mode
Access the interfaces
Configure IP addresses only on the interfaces

Cisco_Router(config)#interface fastEthernet 0/0
Interface configuration commands:
default  Set a command to its defaults
exit  Exit from interface configuration mode
help  Description of the interactive help system
ip  Interface Internet Protocol config commands
no  Negate a command or set its defaults
Cisco_Router(config-if)#ip ?
Interface IP configuration subcommands:
address  Set the IP address of an interface

Display the interfaces

Display the running configuration. Even though the level 2 user can execute the show running-config command, only the configure commands that are permitted are actually displayed. In this example the user would see only IP address information from interfaces in the running configuration.

Cisco_Router#sh running-config
Building configuration...
Current configuration : 141 bytes
interface FastEthernet0/0
no ip address
interface FastEthernet0/1
no ip address

In below example shows assigning Privilege level 2 to any user that enters the router via telnet, Console and Auxiliary ports.

Cisco_Router(config)# line vty 0 4
Cisco_Router(config-line)# privilege level 2
Cisco_Router(config-line)# line aux 0
Cisco_Router(config-line)# privilege level 2
Cisco_Router(config-line)# line console 0
Cisco_Router(config-line)# privilege level 2

Note that the privilege feature only limits user access if the user only knows the enable secret password for the defined level. If the user knows any other level password, then they can go there as well. Any attempt to run a command other than those specifically defined for this privilege level returns the same error message as any attempt to run a command from the wrong mode.


Filed Under: Cisco General


About the Author:

RSSComments (2)

Leave a Reply | Trackback URL

  1. Marina says:

    You have really interesting blog, keep up posting such informative posts on Cisco !

  2. indinteme says:

    Hello! Just want to say thank you for this interesting article! =) Peace, Joy.

Leave a Reply

If you want a picture to show with your comment, go get a Gravatar.