SecurityCCNA 200-301

User at Wrong Privilege Level — Cannot Run Needed Commands

Presenting Symptom

A network engineer is unable to execute certain commands (e.g., 'show running-config', 'configure terminal') on a Cisco router, receiving '% Invalid input detected' or 'Command rejected' errors.

Network Context

The scenario takes place in a small branch office with a single Cisco ISR 4331 router running IOS XE 16.9. The router is managed via SSH by a junior network engineer who has been assigned a custom privilege level (level 5) instead of the default privilege level 15. The engineer can ping and perform basic show commands but cannot access configuration mode or view the full running configuration.

Diagnostic Steps

Check current privilege level

show privilege

Current privilege level is 5

If the output shows a level less than 15, the user is restricted. Normal for full access is level 15.

Display user account details

show running-config | include username

username admin privilege 5 secret 5 $1$...

Look for the privilege level assigned to the user. A level less than 15 indicates restricted access.

Attempt to enter global configuration mode

configure terminal

% Invalid input detected at '^' marker.

This error confirms that the user lacks the privilege to enter configuration mode, which requires privilege level 15.

Check the privilege level of the 'configure' command

show privilege all | include configure

configure terminal   15

This shows that 'configure terminal' requires privilege level 15. The user's level 5 is insufficient.

Root Cause

The user account 'admin' has been configured with privilege level 5 instead of the default privilege level 15. Privilege levels 0-15 control command access; level 15 provides full access, while lower levels restrict commands. The user cannot execute commands that require higher privilege levels.

Resolution

1. Connect to the router with a user that has privilege level 15 (e.g., console or another admin). 2. Enter global configuration mode: 'configure terminal' 3. Modify the user's privilege level: 'username admin privilege 15' 4. Exit and save: 'end', 'write memory'

Verification

1. Re-authenticate with the user 'admin'. 2. Run 'show privilege' — expected output: 'Current privilege level is 15'. 3. Run 'configure terminal' — should enter config mode without error. 4. Run 'show running-config' — should display the full configuration.

Prevention

1. Always assign privilege level 15 to administrative accounts. 2. Use role-based access control (RBAC) with AAA if granular permissions are needed, rather than custom privilege levels. 3. Regularly audit user privilege levels using 'show running-config | include username'.

CCNA Exam Relevance

On the CCNA 200-301 exam, this scenario may appear as a troubleshooting question where you must identify why a user cannot execute certain commands. The exam tests understanding of privilege levels (0-15) and the default level for full access (15). A common multiple-choice question asks: 'A user can ping but cannot configure the router. What is the most likely cause?' The correct answer is 'The user has a privilege level lower than 15.'

Exam Tips

Memorize that privilege level 15 is required for full access, including 'configure terminal' and 'show running-config'.

Remember that 'show privilege' displays the current level; if it's not 15, commands are restricted.

Know that the 'username' command with 'privilege' keyword sets the user's level; 'privilege 15' grants full access.

Commands Used in This Scenario

show privilege

Displays the current privilege level of the user session, used to verify access rights and confirm the effective privilege level after authentication or privilege escalation.

show running-config

Displays the current active configuration in DRAM, showing all non-default settings.

Test Your CCNA Knowledge

Practice with scenario-based questions to prepare for the CCNA 200-301 exam.

Practice CCNA Questions