Here is an example of using 3 separate levels, MAKE sure you create the usernames first. I like to disable AAA on the console port also, since this is an element of physical security in most cases. If someone has physical access, they can still do a password recovery but this depends on your security requirements.
You must first log out, and then log back into the router following the inclusion of the aaa authorization commands 15 local if-authenticated command.
Syntax may vary somewhat on the AAA commands depending on your version.
username rtr_low privilege 1 password xxxxxxx
username rtr_med privilege 7 password xxxxxxx
username rtr_super privilege 15 password xxxxxx
aaa new-model
aaa authentication login default local enable
aaa authentication login NO_AUTHEN none
aaa authorization exec default local if-authenticated
aaa authorization exec NO_AUTHOR none
aaa authorization commands 15 NO_AUTHOR none
aaa authorization commands 1 local if-authenticated
aaa authorization commands 5 local if-authenticated
aaa authorization commands 15 local if-authenticated
line con 0
authorization commands 15 NO_AUTHOR
authorization exec NO_AUTHOR
login authentication NO_AUTHEN
Now you have created 3 sets of command authorization for all users. If you notice, priv 15 users will be taken into priv level 15 automatically without having to enable. This is part of EXEC authorization.
Privilege level 1 and 15 commands are already configured in IOS. You will have to set the level of commands for privilege 5 yourself with this command:
privilege-exec level 5
So to change the level of "sh run" from 15 to 5:
privilege-exec level 5 show running config
Use this to custom configure any of your other commands depending on your requirements.
Hope this helps...
