The Network Monitor

Multi-Level Password Support

During Networkers '95, we discovered that some customers want the capability to allow network operations staff to shutdown or enable an interface, or perform a similar router function. Their concern, however, is in allowing the same staff full modification privileges to the router configuration. This is solved through the use of the multi-level password support that CCCI developed for the Cisco IOS.

With multi-level password functionality, you can provide the network operations staff with a password which allows them to enter configuration mode, and issue only those commands which you have specifically enabled at that level. This is a very powerful feature. Responsibility for specific router configuration functions can be delegated to only those staff members whose duties relate to those functions.

The best way to understand this multi-level password feature is by example. Presume that you wish to allow a network operator to be able to perform the "clear interface", "shutdown", and "no shutdown" commands. You must assign commands to a command level while in configuration mode. First, select the enable level (level 5 in this case) and assign a password to it. 

          enable password level 5 foobar

Commands are added to this level with commands that have the following syntax: 

          privilege  level

We find out the possible values that the argument can accept by using the interactive help feature: 

    paris(config)#privilege ?

     configure		Global configuration mode

     exec		Exec mode

     interface		Interface configuration mode

     line		Line configuration mode

     map-class		Map class configuration mode

     map-list		Map list configuration mode

     null-interface	Null interface configuration mode

     route-map		Route map config mode

     router	 	Router configuration mode

The "clear interface" and "configure terminal" commands are EXEC level commands, so you must make them available at this privilege level: 

     paris(config)#privilege exec level 5 clear interface

     paris(config)#privilege exec level 5 configure terminal

The "shutdown" and "no shutdown" statements are only available in configuration mode, so you now need to extend the configuration to allow these same staff members to enter configuration mode, issue interface specification commands, issue shutdown commands, save the modified configuration, and exit configuration mode. No other configuration commands will be available to the operations staff. 

     paris(config)#privilege configure level 5 shutdown

     paris(config)#privilege configure level 5 no shutdown

     paris(config)#privilege configure level 5 exit

Because they have not been specifically added to level 5, the "write memory", "write terminal", or other privileged exec or configure commands are not available to users enabled to level 5. Note that each keyword must be specifically added to the command level. This allows individual command subsets to be added to a privilege level without enabling unintended commands.

This same functionality can be applied to other levels, each requiring its own password to enable access. There are a total of fifteen password levels: 1 -15. A user who telnets into a router or access server is set automatically to level 1. You can use this feature to restrict the set of commands available to these users as well.

The multi-level password feature gives the network configuration administrator significant control over who can perform specific functions on a router or access server. Think about using it the next time you need to delegate some portion of router administration without giving away full router control.

Volume 1, Number 2 Table Of Contents