← Back

💾 Module 5: Assigning Administrative Roles

🛡️ Privilege Levels and Role-Based CLI Access Control

CCNA Level Access Control Role-Based CLI Privilege Levels

📋 Overview

This module covers two methods for controlling administrative access to Cisco devices: privilege levels and role-based CLI access. Students will learn to implement granular access control, create custom views, and configure superviews for flexible user management in large organizations.

Back to top

🔑 Key Terms

Privilege Level

Hierarchical access control system with 16 levels (0-15) determining command availability.

Role-Based CLI

Granular access control system using views to define specific command sets for users.

Root View

Administrative view with level 15 privileges, required to configure and manage other views.

CLI View

Specific set of commands bundled together with no command hierarchy or inheritance.

Superview

Collection of one or more CLI views allowing assignment of multiple views to users.

AAA

Authentication, Authorization, and Accounting - required framework for role-based CLI.

Back to top

Configure Privilege Levels

Cisco IOS provides 16 privilege levels (0-15) for hierarchical access control. Higher levels inherit commands from lower levels.

Default Privilege Levels

Level Description Access
0 Predefined user-level disable, enable, exit, help, logout
1 Default login level Router> prompt, no configuration changes
2-14 Customizable levels Commands can be moved between levels
15 Enable mode Router# prompt, full configuration access

Configuration Commands

Command Syntax

Privilege Level Configuration

# Assign command to privilege level
Router(config)# privilege mode level level command

# Create user with privilege level
Router(config)# username name privilege level algorithm-type scrypt secret password

# Set enable secret for privilege level
Router(config)# enable algorithm-type scrypt secret level level password

Configuration Example

# Level 5 configuration
R1(config)# privilege exec level 5 ping
R1(config)# enable algorithm-type scrypt secret level 5 cisco5
R1(config)# username SUPPORT privilege 5 algorithm-type scrypt secret cisco5

# Level 10 configuration
R1(config)# privilege exec level 10 reload
R1(config)# enable algorithm-type scrypt secret level 10 cisco10
R1(config)# username JR-ADMIN privilege 10 algorithm-type scrypt secret cisco10

# Level 15 configuration (full access)
R1(config)# enable algorithm-type scrypt secret level 15 cisco123
R1(config)# username ADMIN privilege 15 algorithm-type scrypt secret cisco123
Privilege Level Limitations

Key Restrictions

  • No access control to specific interfaces, ports, or slots
  • Lower-level commands always available at higher levels
  • Higher-level commands not available to lower-privileged users
  • Command keywords grant access to all related commands (e.g., "show ip route" grants access to all "show" and "show ip" commands)
Back to top

Configure Role-Based CLI

Role-based CLI access provides more granular control than privilege levels, introduced in Cisco IOS Release 12.3(11)T. It enables creation of different router configuration views for different users.

Benefits of Role-Based CLI

Security

Defines specific CLI commands accessible by users and controls access to specific ports, interfaces, and slots.

Availability

Prevents unintentional command execution by unauthorized personnel, minimizing downtime.

Operational Efficiency

Users see only applicable commands, making the router appear less complex and easier to navigate.

Prerequisites

Required Setup

AAA Configuration

Before creating views, AAA must be enabled:

Router(config)# aaa new-model

Administrator must log into root view:

Router# enable view
Back to top

Role-Based Views

Three Types of Views

Root View

Same privileges as level 15 user but can configure new views and manage existing views. Required for all view management operations.

CLI View

Specific command set with no hierarchy. Each view must be assigned all commands - no inheritance from other views.

Superview

Collection of one or more CLI views. Allows assignment of multiple views to users simultaneously.

Five Steps to Create CLI Views

Step Command Purpose
1 aaa new-model Enable AAA and enter root view
2 parser view view-name Create view and enter view configuration mode
3 secret password Assign password to view (required immediately)
4 commands parser-mode include command Assign commands to view
5 exit Exit view configuration mode

Command Assignment Options

Option Description
include Add command to view, allows same command in other views
include-exclusive Add command to view, exclude from all other views
exclude Exclude command from view
all Wildcard for all commands with same keyword

Configuration Example

# Create SHOWVIEW
R1(config)# parser view SHOWVIEW
R1(config-view)# secret cisco
R1(config-view)# commands exec include show
R1(config-view)# exit

# Create VERIFYVIEW
R1(config)# parser view VERIFYVIEW
R1(config-view)# secret cisco5
R1(config-view)# commands exec include ping
R1(config-view)# exit

# Create REBOOTVIEW
R1(config)# parser view REBOOTVIEW
R1(config-view)# secret cisco10
R1(config-view)# commands exec include reload
R1(config-view)# exit
Important Note

Password Requirement

The secret password must be configured immediately after creating a view, otherwise an error will occur when trying to add commands.

Back to top

Configure Superviews

Superviews allow network administrators to assign multiple CLI views to users simultaneously, providing more flexible access control.

Superview Characteristics

  • Single CLI view can be shared within multiple superviews
  • Commands cannot be configured directly for superviews
  • Users access all commands from constituent CLI views
  • Each superview has its own password
  • Deleting superview doesn't delete associated CLI views

Four Steps to Create Superviews

Step Command Purpose
1 parser view view-name superview Create superview and enter configuration mode
2 secret password Assign password to superview
3 view view-name Assign CLI views to superview
4 exit Exit superview configuration mode

Configuration Example

# Create USER superview
R1(config)# parser view USER superview
R1(config-view)# secret cisco
R1(config-view)# view SHOWVIEW
R1(config-view)# exit

# Create SUPPORT superview
R1(config)# parser view SUPPORT superview
R1(config-view)# secret cisco1
R1(config-view)# view SHOWVIEW
R1(config-view)# view VERIFYVIEW
R1(config-view)# exit

# Create JR-ADMIN superview
R1(config)# parser view JR-ADMIN superview
R1(config-view)# secret cisco2
R1(config-view)# view SHOWVIEW
R1(config-view)# view VERIFYVIEW
R1(config-view)# view REBOOTVIEW
R1(config-view)# exit

Verification Commands

View Management

Useful Commands

  • enable view view-name - Switch to specific view
  • show parser view - Display current view
  • show parser view all - Show all views (asterisk indicates superviews)
  • ? - List available commands in current view

View Access Example

# Access USER superview
R1# enable view USER
Password: cisco
R1# ?
Exec commands:
  enable    Turn on privileged commands
  exit      Exit from the EXEC
  show      Show running system information

# Access SUPPORT superview
R1# enable view SUPPORT
Password: cisco1
R1# ?
Exec commands:
  enable    Turn on privileged commands
  exit      Exit from the EXEC
  ping      Send echo messages
  show      Show running system information
Back to top

✅ Quick Checks

  1. How many privilege levels are available in Cisco IOS?
    16 privilege levels (0-15), with higher levels providing more access.
  2. What are the three types of role-based CLI views?
    Root view, CLI view, and Superview.
  3. What must be enabled before creating role-based CLI views?
    AAA must be enabled using the "aaa new-model" command.
  4. What is a key limitation of privilege levels?
    No access control to specific interfaces, ports, or slots, and command keyword access grants access to all related commands.
  5. What happens if you try to add commands to a view before setting a password?
    An error message appears - the password must be set immediately after creating a view.
Back to top

📝 Summary

  • Cisco IOS provides two methods for infrastructure access: privilege levels and role-based CLI
  • 16 privilege levels (0-15) offer hierarchical access with command inheritance
  • Privilege levels have limitations including lack of interface-specific control
  • Role-based CLI provides more granular control than privilege levels
  • Three view types: Root view (management), CLI view (specific commands), Superview (multiple views)
  • AAA must be enabled before creating any views
  • CLI views have no command hierarchy or inheritance
  • Superviews allow assignment of multiple CLI views to users
  • Views provide better security, availability, and operational efficiency
  • Maximum of 15 views can be created (excluding root view)
Back to top

References

  • Module 5: Assigning Administrative Roles - Introduction (Ch. 5.0)
  • Configure Privilege Levels (Ch. 5.1)
  • Configure Role-Based CLI (Ch. 5.2)
  • Cisco IOS Release 12.3(11)T Role-Based CLI Access
  • AAA Configuration Guide
  • Cisco IOS Security Command Reference
Back to top