Privileged EXEC Access
Up to this point in the chapter, I have focused on user EXEC levels of access and remote access. The remainder of this chapter focuses on privileged EXEC access and how to secure it using static passwords, user accounts, and modification of privilege levels.
The second level of EXEC access on a router is privileged EXEC. By default, this level of access gives you complete access to all of the router's functions, including configuration, troubleshooting, and management.
Passwords
You can use two commands to statically assign passwords to privileged EXEC mode:
Router(config)# enable password password Router(config)# enable secret password
The enable password command does not encrypt the password, whereas the enable secret command does. This affects what you can see when executing a command such as show running-config. The enable secret command uses the MD5 hashing function to encrypt the password, which is a very secure method of protection.
Privilege Levels
Cisco has 16 different levels of access to the Cisco IOS: 0 through 15. By default, only two of these are used: 1 is for user EXEC access, and 15 is for privileged EXEC access. One problem with this approach is that if you want to give an administrator access to privileged EXEC mode to use debug commands for troubleshooting problems, you also give him configuration rights, by default. Unfortunately, with this two-level hierarchy, if a user has access to the privileged EXEC password, he has full access to the router.
One nice feature of the Cisco IOS, however, is that you can change the access level assigned to commands from both user and privileged EXEC modes. In the example of an administrator needing only access to user EXEC and debug functions, you could assign a privilege level of 7 to debug commands and then set up either a privileged EXEC password or an account for your administrator that is assigned a level of 7. Therefore, when the administrator logs into the router with his account or password, he can execute commands only at level 7 or lower?in this case, debug commands and all user EXEC commands.
The next section covers assigning privilege levels to commands. The following two sections cover how to set up authentication for these levels of access.
Restricting Levels
To assign privilege levels to commands, the privilege command is used. Here is its general syntax:
Router(config)# privilege mode [all] {level level | reset} command_string
The mode parameter specifies the mode from which the command is executed. Table 3-2 lists some of the more important modes that you can specify. New in Cisco IOS 12.0(22)S and 12.2(13)T, you can specify the all keyword. This keyword functions as a wildcard and includes all commands and parameters beginning with those described by the command_string parameter at the end of the command. Before this feature, you had to list each command separately, which could be a time-consuming process (especially for show and debug commands).
Command | Description |
|---|---|
configure | Global configuration mode |
controller | Controller subconfiguration mode |
crypto-map | Crypto map subconfiguration mode, used for VPN configurations |
crypto-transform | Crypto map transform set subconfiguration mode, used for VPN configurations |
exec | EXEC mode |
interface | Interface subconfiguration mode |
interface-dlci | Frame Relay Interface DLCI subconfiguration mode |
ipenacl | IP named extended ACL subconfiguration mode |
ipsnacl | IP named standard ACL subconfiguration mode |
line | Line subconfiguration mode |
map-class | Map class subconfiguration mode |
map-list | Map list subconfiguration mode |
preauth | AAA preauthorization definitions |
route-map | Router map subconfiguration mode |
router | Router subconfiguration mode |
sg-radius | RADIUS server group |
sg-tacacs+ | TACACS+ server group |
subscriber-policy | Subscriber policy subconfiguration mode |
tcl | TCL subconfiguration mode |
template | Template subconfiguration mode |
translation-rule | Translation rule subconfiguration mode |
vpdn-group | VPDN remote access subconfiguration mode |
The level keyword specifies the level of access that you assign to the command(s). This can be from 0 to 15, where 1 is user EXEC and 15 is privileged EXEC, by default. Instead of specifying the level keyword, you can use reset; this keyword resets the privilege level of the command(s) to the default privilege level and removes the privilege command from the router's configuration. Prefacing the privilege command with the no parameter resets the privilege level of the command(s) but does not remove it from the router's configuration.
NOTE
Five commands are actually at level 0 instead of 1 or 15: disable, enable, exit, help, and logout.
In the last part of the command you enter your command or partial command. When entering a partial command, make sure that you use the all keyword to match on all commands that begin with this string.
CAUTION
Whenever you set the privilege level for a command that has multiple words, such as show ip access-list, all commands beginning with the first parameter also have their privilege level changed. This makes sense because, for this example, to execute the show ip access-list command, you first must be able to execute show ip; likewise, to execute show ip, you must be able to execute show. For example, if I set the level to 7 for show ip access-list, all show and show ip commands also would have their levels set to 7.
Therefore, the privilege-level restriction is what it describes: It typically can restrict a specific command (unless that command has no parameters), but it typically is used to restrict a group of commands, or all commands, for a specific method of access, such as EXEC or configuration mode.
Using the privilege command can be tricky, so take a look at a simple example to illustrate its usage. In this example, you want an administrator to be able to execute show and debug commands, and disable and enable an interface, but only these privileged EXEC commands. Example 3-15 shows the configuration to accomplish this.
Example 3-15. Command Restriction Example
Router(config)# privilege exec level 7 show Router(config)# privilege exec level 7 debug Router(config)# privilege exec level 7 configure Router(config)# privilege configure level 7 interface Router(config)# privilege interface level 7 shutdown
The first two commands are straightforward. To execute any show or debug command from EXEC mode, you must be at least logged into the router at level 7 or higher.
CAUTION
In Example 3-15, all show commands are assigned to privileged EXEC level 7. This means that if a user has access only to user EXEC mode, he will not be able to execute any show commands.
Restricting the administrator to only enabling and disabling interfaces is more difficult. To do this, the user must execute the [no] shutdown command within an interface from configuration mode. First, the administrator must be able to access configuration mode; this is the EXEC level 7 access for the configure command (third line). Next, the user needs access to interfaces on the router from configuration mode (fourth line). Finally, the user is restricted to just the shutdown command within the interfaces (last line).
TIP
As you can see from the previous example, setting up restrictions is not necessarily an easy process. Therefore, I highly recommend that you not configure these on a production router without first doing them on a test router, to make sure that you are not creating any inadvertent security problems. Plus, you definitely do not want to lock yourself out of the router because of a misconfiguration. To recover from this problem, you would have to perform the password-recovery procedure, and this requires a reboot of the router.
NOTE
The configuration discussed here has the router itself performing command authorization. One problem with this approach is scalability: If you have 100 routers on which you need to implement and maintain command execution restrictions, you have your work cut out for you. Chapter 5 discusses how to centralize AAA functions, such as command authorization, on an AAA security server such as Cisco Secure ACS.
Password Levels
Now that you have set up your privilege levels for access restrictions, you need to set up your authentication so that administrators can access these privilege levels. This can be done with one of two methods: privileged EXEC passwords assigned to a specific level or a local authentication database. This section covers the former, and the next section covers the latter.
Of the two authentication methods for privilege levels, using the enable command is the easiest to implement. Use the following command to associate a privileged EXEC password with a specific level:
Router(config)# enable secret level level_# password
All you need to do is specify the level number for access and then specify the password.
NOTE
You also can use the enable password command to do this. However, in Cisco IOS 12.3, when this command is executed, the router displays a warning message:
% Converting to a secret. Please use "enable secret" in the future.
The Cisco IOS then converts the enable password command to the enable secret command. This makes sense because the enable secret command uses an MD5 hash function to encrypt the password, which is very secure.
Also, using the enable password command stores the password on the router in clear text, which is susceptible to eavesdropping attacks. Therefore, do not use the enable password command; instead, use enable secret.
After you have set up your passwords, to test them, log out of the router and then log back in. From user EXEC mode, use this command:
Router> enable level_#
When you specify the level number with the enable command, the router uses the appropriate password configured with the enable secret level command. If you omit the level number, the Cisco IOS assumes level 15 access.
To view your privilege level after you have authenticated, use the show privilege command:
Router# show privilege
Current privilege level is 7
To exit to a specific level, use this command:
Router# disable level_#
Given the previous privilege command configuration, to set up level 7 authentication, use the following command:
Router(config)# enable secret level 7 hidden88secret
To test this access, use the process in Example 3-16 when logging in.
Example 3-16. Logging into a Specific Privileged EXEC Level
Router> enable 7 Password: hidden88secret Router# show privilege Current privilege level is 7 Router#
Local Authentication Database
The main problem of using the enable secret command to assign passwords to levels is that if multiple administrators need access to the same level, they all must use the same password, which is a security risk. A better approach is to create a local authentication database in which each user is assigned a different account name and password. Therefore, if an administrator leaves the company, you do not have to notify all the other administrators of the password change to the access level. Instead, you would just delete the old administrator's account.
TIP
The local authentication database is used best when you need to maintain only a small number of Cisco IOS routers. If you have dozens or hundreds of routers, it is not practical to replicate account changes on each router. Instead, you will want to use AAA and an external security server to centralize your authentication and authorization functions, as discussed in Chapter 5.
To create a local authentication database, the username command is used:
Router(config)# username user's_name [privilege #] {secret | password} password
The account name must be unique. If you omit the privilege level, it defaults to 1. Two options exist for specifying how the router treats the password. The secret parameter encrypts the password using MD5 (the same as the enable secret command). This option was introduced in Cisco IOS 12.0(18)S and was integrated fully into the Cisco IOS in versions 12.1(8a)E and 12.2(8)T. The password parameter does not encrypt the password.
Here is a simple example of creating a user with level 7 access that is encrypted with MD5:
Router(config)# username richard privilege 7 secret keepOUT
After you have built your authentication database, use the login local command on your lines, forcing them to use the local authentication database instead of the password command on the line. Example 3-17 shows a sample of setting up your lines to use the local authentication database.
Example 3-17. Setting up Your Lines to Use the Local Authentication Database
Router(config)# line con 0 Router(config-line)# login local Router(config-line)# exit Router(config)# line aux 0 Router(config-line)# login local Router(config-line)# exit Router(config)# line vty 0 4 Router(config-line)# login local
Based on the privilege level, the user immediately is placed in that level upon successfully logging in. You then can use the show privilege command to verify the privilege level.
After you have set up the connection, log into the router using the account name. Check the privilege level with the show privilege level command, and then test the commands allowed by this account to ensure that you have set up your privilege commands correctly.
CAUTION
If you configure the login local command on your lines and do not have any accounts defined with the username command, you have just locked yourself out of the router. I recommend setting up the login local command on the VTYs first; then test this and apply the command to the console line to prevent inadvertent lockouts.
