Privilege Level Security

Cisco IOS devices use privilege levels for more granular security and Role-Based Access Control
(RBAC) in addition to usernames and passwords. There are 16 (0-15) privilege levels of admin access on
the Cisco router or switch that you can configure to provide customized access control. With 0 being the
least privileged and 15 being the most privileged.

These are three privilege levels the Cisco IOS uses by default:

 Level 0 – Zero-level access only allows five commands- logout, enable, disable, help and exit.
 Level 1 – User-level access allows you to enter in User Exec mode that provides very limited
read-only access to the router.
 Level 15 – Privilege level access allows you to enter in Privileged Exec mode and provides
complete control over the router.

Cisco Privilege Level Configuration

To assign the specific privilege levels, we include the privilege number when indicating the username and
password of the user.

Router(config)#username admin1 privilege 0 secret Study-CCNA1

Router(config)#username admin2 privilege 15 secret Study-CCNA2

Router(config)#username admin3 secret Study-CCNA3

In this example, we assign user admin1 a privilege level of 0. Then, we assign user admin2 to privilege
level 15, which is the highest level. For admin3, we did not specify any privilege level, but it will have a
privilege level of 1 by default. Let’s try to verify the output of our configuration by logging in to each
user. Enter the username and the corresponding password, starting with admin1.

User Access Verification

Username: admin1

Password:

Router>?

Exec commands:

disable Turn off privileged commands

enable Turn on privileged commands

exit Exit from the EXEC

help Description of the interactive help system

logout Exit from the EXEC

Router>

Notice in the output above that the user admin1 is under User Exec mode and has only five commands-
logout, enable, disable, help, and exit. Now, let’s log in as admin2.

User Access Verification

Username: admin2

Password:

Router# show privilege

current privilege level is 15

Router#

The output above shows that user admin2 is currently in level 15, and we verified that by typing the
‘show privilege’ command on the CLI. Notice also that we are in Privileged Exec mode. Lastly, let’s log
in as admin3.

User Access Verification

Username: admin3

Password:

Router>show privilege

current privilege level is 1

Router>

When we logged in as admin3, we verified that it was in level 1 by typing the ‘show privilege’ command
on the CLI. Notice that we are in User Exec mode.

Privilege Levels 2-14

You can increase the security of your network by configuring additional privileges from 2 to 14 and
associating them to usernames to provide customized access control. This is suitable when you are
designing role-based access control for different users and allowing only certain commands for them to
execute. Hence, giving them restrictions to unnecessary commands and increasing the layers of security
on the device. Let’s now assign privilege level 5 to a user. After that, we will configure privilege level 5
users to be in User Exec mode and allow them to use the ‘show running-config’ command.

Router(config)#username admin4 privilege 5 secret Study-CCNA4

Router(config)#privilege exec level 5 show running-config

All level 5 users now will be automatically accessing the User Exec mode and can now use the User Exec
commands such as ‘show running-config’ on the CLI. Let’s log in as user admin4 to verify that.

User Access Verification

Username: admin4

Password:

Router#show running-config

Building configuration...

Current configuration : 57 bytes

boot-start-marker

boot-end-marker

!
!

end

Router#

Enable Secret Command Privilege

We can also configure different privilege levels to passwords. Here, we will allow the ‘enable
secret’ command to access the Privileged Exec level. Use the ‘enable secret level {level}
{password}’ syntax as shown below. The command sets the enable secret password for privilege level 5.

Router(config)#enable secret level 5 Study-CCNA5

We can verify our configuration as shown below:

User Access Verification

Username: admin5

Password:

Router>show running-config

% Invalid input detected at ‘^’ marker.

Router>enable 5

Password:

R4#show privilege

Current privilege level is 5

Router#show running-config
Building configuration...

Current configuration : 57 bytes

boot-start-marker

boot-end-marker

end

Router#

In our first attempt, notice in the example above that we do not have access to the ‘show running-
configuration’ command. That is because we are currently under privilege level 0. However, we can log
in as a privilege level 5 user with the ‘enable {privilege level}’ command, and from there, we can now
access the ‘show running-configuration’ command.