Configuring Multiple Privilege Levels; Setting The Privilege Level For A Command - Cisco WS-C3560-48PS-S Software Configuration Manual

Protecting Access to Privileged EXEC Commands

Configuring Multiple Privilege Levels

By default, the Cisco IOS software has two modes of password security: user EXEC and privileged
EXEC. You can configure up to 16 hierarchical levels of commands for each mode. By configuring
multiple passwords, you can allow different sets of users to have access to specified commands.
For example, if you want many users to have access to the clear line command, you can assign it
level 2 security and distribute the level 2 password fairly widely. But if you want more restricted access
to the configure command, you can assign it level 3 security and distribute that password to a more
restricted group of users.
This section includes this configuration information:
•
•
•

Setting the Privilege Level for a Command

Beginning in privileged EXEC mode, follow these steps to set the privilege level for a command mode:
Command
Step 1 configure terminal
Step 2
privilege mode level level command
Step 3
enable password level level password
Step 4
end
Step 5
show running-config
or
show privilege
Step 6 copy running-config startup-config
Catalyst 3560 Switch Software Configuration Guide
8-8
Setting the Privilege Level for a Command, page 8-8
Changing the Default Privilege Level for Lines, page 8-9
Logging into and Exiting a Privilege Level, page 8-10
Purpose
Enter global configuration mode.
Set the privilege level for a command.
Specify the enable password for the privilege level.
Return to privileged EXEC mode.
Verify your entries.
The first command shows the password and access level configuration.
The second command shows the privilege level configuration.
(Optional) Save your entries in the configuration file.
• For mode, enter configure for global configuration mode, exec for
EXEC mode, interface for interface configuration mode, or line for
line configuration mode.
• For level, the range is from 0 to 15. Level 1 is for normal user EXEC
mode privileges. Level 15 is the level of access permitted by the
enable password.
• For command, specify the command to which you want to restrict
access.
• For level, the range is from 0 to 15. Level 1 is for normal user EXEC
mode privileges.
• For password, specify a string from 1 to 25 alphanumeric characters.
The string cannot start with a number, is case sensitive, and allows
spaces but ignores leading spaces. By default, no password is
defined.
Chapter 8 Configuring Switch-Based Authentication
78-16156-01