Foundry NetIron M2404C and M2404F Metro Access Switches
Configuring Switch Authentication Features (Rev. 03)
User Privilege Levels with CLI
© 2008 Foundry Networks, Inc.
Page 6 of 70
User Privilege Levels with CLI
The Command Line Interface supports privilege levels to allow access to particular commands.
The user can use this feature to protect the system from unauthorized access.
There are three ways to authenticate a user: RADIUS, and authentication based on a
local database.
There are 16 privilege levels – from level 15, which is the most restricted level (lowest privilege),
to level 0, which is unrestricted (highest privilege).
A privilege is associated to each user and each command. Users can only execute commands with
privilege levels that are equal to or less than (higher in nominal value) the privilege levels that are
assigned to them.
Most of the commands have a privilege level of 1. The common commands
exit, quit, no, etc.
have privilege level 15, allowing all users to access them.
For example, users with privilege level 8 have access to all CLI commands with privilege levels
from 8 to 15.
The default privilege level assigned to local users is level 0 (highest privilege). The default
privilege level assigned to RADIUS and users is level 15 (lowest privilege).
Table 1
shows the five default CLI privilege levels.
Table 1: Default Command Privilege Levels
Privilege
Description
Administrators
(0): Full read/write privilege without restriction for Layer 2 and Layer 3. The
access to the security settings (user/password management commands; debug
commands; license management commands, software upgrade, reload and
script FS) is allowed.
Network-
admins
(4): Read/write privilege for Layer2 and Layer3 without access to the
security, debug and other administrative settings (user/password management
commands; debug commands; license management commands, software
upgrade, reload and script FS).
Technicians
(8): Read/write privilege for Layer2, Read-only privilege for Layer3.
Users
(12): Read-only privilege for Layer2 and Layer3 that allows access to all
show commands; general commands:
exit
,
quit
,
no
;
show
commands;
enable
,
disable
commands,
ping
and
traceroute
commands.
Guests
(15): Read-only privilege in non-privileged node (cannot execute the
enable
command).
RADIUS Authentication and Privilege Groups
In addition to the RADIUS server configuration (see
Configuring RADIUS
) and in order to make
the server aware of the existing privilege levels, the authentication and privilege groups require the
following steps:
1. Copy an additional file, for example a file named “dictionary.foundry”, to the same folder in
which the RADIUS configuration files are installed. It contains a list of attributes, which the
server uses to map user names to privilege levels.