Configuring privilege levels on Cisco switch

From Notes_Wiki

Home > Switch configuration notes > Configuring privilege levels on Cisco switch

We can configure different command access based on priviledge level of user logged in. Hence, the commands available would depend entirely on username / password supplied to switch during login.


Creating users

First we have to create user with some privilege level between 0 and 15 (both inclusive). Level 15 always has full control. So it is better to create limited access user from privilege level 3 onwards. To create user with privilege level 3 use syntax in configure terminal mode

username <username> privilege 3 password 0 <plain text password>

Defining which commands are allowed

Then in 'configure terminal' mode we can specify which exec mode commands should be allowed to users with privilege level 3 using syntax `privilege exec level 3 <command>'.

For example:

privilege exec level 3 traceroute
privilege exec level 3 ping

If you want to allow the user with privilege level 3 to change hostname then you need to enter following lines in 'configure terminal' mode

privilege exec level 3 configure terminal
privilege configure level 3 hostname

Enabling local login

In order to allow users to login using this method you must configure local login for some vty lines. That is you should configure

line vty 0 15
login local

Using 'aaa new-model' wont work. With 'aaa new-model' users will be able to login using the configured username and password but they would have to type 'en' and then enable password to be able to run exec commands. Now since we cannot configure per user enable commands we must use 'login local' for vty due to which after login users are automatically in enable mode and there is no need to type 'en' command separately.


Home > Switch configuration notes > Configuring privilege levels on Cisco switch