CCIE Pursuit Blog

August 2, 2008

Internetwork Expert Volume II: Lab 3 – Section 11

Section 11 – IP Services – 4 Points

11.1 Local Authorization

Set r2’s default privilege level to 0 for telnet users.  Allow them to also ping and traceroute. If they need level 1 access, then have them authenticate with the password CISCO prior to being given access.

This is easy except for that last bit.  I couldn’t get my head around it.  Turns out that this was easy as well, you just need to set the privilege level for the enable password:

r2(config)#enable secret level 1CISCO

r2#sh privilege
Current privilege level is 15
r2#disable 0
r4>?
Exec commands:
  <1-99>      Session number to resume
  disable     Turn off privileged commands
  enable      Turn on privileged commands
  exit        Exit from the EXEC
  help        Description of the interactive help system
  logout      Exit from the EXEC
  ping        Send echo messages
  traceroute  Trace route to destination

Normal commands available at privilege level 0:

r4#disa 0
r4>?
Exec commands:
  call     Voice call
  disable  Turn off privileged commands
  enable   Turn on privileged commands
  exit     Exit from the EXEC
  help     Description of the interactive help system
  logout   Exit from the EXEC

r4>

I could not get the “CISCO” password to work.

r2#sh run | i enabl
enable secret level 1 5 $1$2rnn$RVQJmvNqbzBPxtZhsm7Ga0
enable password cisco

I tried to use a ‘non-secret’ method, but the IOS cried “foul”:

r2(config)#enable pass level 1 CISCO
% Converting to a secret.  Please use “enable secret” in the future.

r2(config)#do sh run | i enable
enable secret level 1 5 $1$smcE$u7rQfwYvoPYAtd7.d38qO/
enable password cisco

Hmmmm….I telnetted in and found that I needed to specify level 1 and it worked:

r2>enable 1
Password: CISCO
r2>sh privi
Current privilege level is 1

r2>?
Exec commands:
  <1-99>           Session number to resume
  access-enable    Create a temporary Access-List entry
  access-profile   Apply user-profile to interface
  clear            Reset functions
  connect          Open a terminal connection
  crypto           Encryption related commands.
  disable          Turn off privileged commands
  disconnect       Disconnect an existing network connection
  dot11            IEEE 802.11 commands
  enable           Turn on privileged commands
  exit             Exit from the EXEC
  help             Description of the interactive help system
  lat              Open a lat connection
  lock             Lock the terminal
  login            Log in as a particular user
—output truncated—-

11.2 Local Authorization

Set up NOC users to telnet to r5 at privilege level 1, but allow them to be able to “turn on and disable RIP debugging”.

IE just set up level 1 with the ability to debug ip rip and then stop all debugs:

privilege exec level 1 debug ip rip
privilege exec level 1 undebug all

r5#ena 1
r5>debug ip ?
  rip  RIP protocol transactions

What’s odd is that the IOS added a few more privileges (including the dread “debug all”

r5(config)#do sh run | i privilege exec
privilege exec level 1 undebug ip rip
privilege exec level 1 undebug ip
privilege exec level 1 undebug all
privilege exec level 1 undebug
privilege exec level 1 debug ip rip
privilege exec level 1 debug ip
privilege exec level 1 debug all  <-yikes

privilege exec level 1 debug

r5>debug all

This may severely impact network performance. Continue? (yes/[no]):

I guess that we are to assume that only the NOC will be telnetting to the device:

r2#telnet 150.1.5.5
Trying 150.1.5.5 … Open

User Access Verification

Password:
r5>sh privi
Current privilege level is 1

Advertisements

1 Comment »

  1. privilege level access has this problem.
    Since 12.4 (I guess), cisco has introduced a new method that gives way more control to the administrator on what and what not to allow for different levels.
    In privilege levsls once you allow for example show ip int biref, all show ip — commands are enable.
    Role based Cli can include a particular command, include all command starting with a phrase, exclude a partcular command, and even import a level into a another level, allowig hierarchial configuration ( Level are called views here)
    you should check that feature. Its actually very cool.:)

    Comment by Barooq — August 2, 2008 @ 1:11 pm | Reply


RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Blog at WordPress.com.

%d bloggers like this: