https://community.cisco.com/t5/network-access-control/username-with-privilege-level-15-bypass-enable/m-p/1633581#M257943 <P>Hi experts,</P><P></P><P>I guess I never really understand the authentication process on Cisco routers and devices lol. Anyway I want users with privilege level 15 to be put in the enable mode right away after login without having to type in "enable" command and enable password. Users with other privilege levels will still be put in the EXEC mode.</P><P></P><P>AAA has to be enabled because I'm using it for 802.1x as well.</P><P></P><P>The privilege level eventually will be assigned by Radius server but right now the user is created locally on the switch. Right now I have:</P><P></P><P><SPAN style="color: #0000ff;">aaa new-model</SPAN></P><P><SPAN style="color: #0000ff;">!</SPAN></P><P><SPAN style="color: #0000ff;">username admin privilege 15 secret 5 $1$2bdl$VIp53G4/zpo4f9aHh.t5v0<BR />username cisco secret 5 $1$NGdD$ehTUzwappJFMxgA7tM/YW.<BR />!</SPAN></P><P><SPAN style="color: #0000ff;">line vty 0 5<BR /> access-class 100 in<BR /> exec-timeout 30 0<BR /> logging synchronous<BR /> transport input ssh<BR /></SPAN></P><P><SPAN style="color: #000000;">And it's not working lol. No matter I log in with "admin" or "cisco" I'm put in EXEC mode... What do I have to do to achieve this?</SPAN></P><P><SPAN style="color: #000000;">Thanks!</SPAN></P> Mon, 11 Mar 2019 00:45:33 GMT Difan Zhao 2019-03-11T00:45:33Z https://community.cisco.com/t5/network-access-control/username-with-privilege-level-15-bypass-enable/m-p/1633581#M257943 <P>Hi experts,</P><P></P><P>I guess I never really understand the authentication process on Cisco routers and devices lol. Anyway I want users with privilege level 15 to be put in the enable mode right away after login without having to type in "enable" command and enable password. Users with other privilege levels will still be put in the EXEC mode.</P><P></P><P>AAA has to be enabled because I'm using it for 802.1x as well.</P><P></P><P>The privilege level eventually will be assigned by Radius server but right now the user is created locally on the switch. Right now I have:</P><P></P><P><SPAN style="color: #0000ff;">aaa new-model</SPAN></P><P><SPAN style="color: #0000ff;">!</SPAN></P><P><SPAN style="color: #0000ff;">username admin privilege 15 secret 5 $1$2bdl$VIp53G4/zpo4f9aHh.t5v0<BR />username cisco secret 5 $1$NGdD$ehTUzwappJFMxgA7tM/YW.<BR />!</SPAN></P><P><SPAN style="color: #0000ff;">line vty 0 5<BR /> access-class 100 in<BR /> exec-timeout 30 0<BR /> logging synchronous<BR /> transport input ssh<BR /></SPAN></P><P><SPAN style="color: #000000;">And it's not working lol. No matter I log in with "admin" or "cisco" I'm put in EXEC mode... What do I have to do to achieve this?</SPAN></P><P><SPAN style="color: #000000;">Thanks!</SPAN></P> Mon, 11 Mar 2019 00:45:33 GMT https://community.cisco.com/t5/network-access-control/username-with-privilege-level-15-bypass-enable/m-p/1633581#M257943 Difan Zhao 2019-03-11T00:45:33Z https://community.cisco.com/t5/network-access-control/username-with-privilege-level-15-bypass-enable/m-p/1633582#M257947 <HTML><HEAD></HEAD><BODY><P><SPAN style="color: #800000;">On the cisco device issue the below listed command</SPAN></P><P><SPAN style="color: #800000;"><BR /></SPAN></P><P><SPAN style="color: #800000;">aaa authorization exec default group radius local </SPAN></P><P><SPAN style="color: #800000;"><BR /></SPAN></P><P><SPAN style="color: #800000;">On the radius server if its ACS or IAS </SPAN></P><P><SPAN style="color: #800000;">set the service type attribute like this</SPAN></P><P><SPAN style="color: #800000;">services-type=Administrative</SPAN></P><P><SPAN style="color: #800000;"><BR /></SPAN></P><P><SPAN style="color: #800000;">doing this, user will be start landing in privelege exec mode #<BR /></SPAN></P><P><SPAN style="color: #800000;"><BR /></SPAN></P><P><SPAN style="color: #800000;"><BR /></SPAN></P><P><SPAN style="color: #800000;">Regards,</SPAN></P><P><SPAN style="color: #800000;">Jatin</SPAN></P><P><SPAN style="color: #800000;"><BR /></SPAN></P><P><SPAN style="color: #800000;">Do rate helpful posts-</SPAN></P></BODY></HTML> Wed, 26 Jan 2011 17:39:07 GMT https://community.cisco.com/t5/network-access-control/username-with-privilege-level-15-bypass-enable/m-p/1633582#M257947 Jatin Katyal 2011-01-26T17:39:07Z https://community.cisco.com/t5/network-access-control/username-with-privilege-level-15-bypass-enable/m-p/1633583#M257952 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>The with default keyword authorization will get applied on all the lines i.e. <SPAN style=": ; line-height: 115%; color: #000000; font-size: 10pt; sans-serif&quot;: ; font-family: &quot; , &quot;: ; Arial&quot;: ; ">CONSOLE, VTY, AUX.</SPAN></P><P></P><P><SPAN style=": ; line-height: 115%; color: #000000; font-size: 10pt; sans-serif&quot;: ; font-family: &quot; , &quot;: ; Arial&quot;: ; ">In case you want it for users who are trying to login to via ssh or telnet use the following:</SPAN></P><P></P><P><SPAN style="line-height: 115%; font-family: &quot;Arial&quot;, &quot;sans-serif&quot;; font-size: 10pt;"></SPAN></P><P class="MsoNormal" style="margin: 0in 0in 10pt;"><STRONG style="mso-bidi-font-weight: normal; : ; color: #000000; font-size: 12pt; font-family: Calibri; ">EXEC AUTHORIZATION</STRONG></P><P class="MsoNormal" style="margin: 0in 0in 10pt;"><SPAN style="font-family: Calibri; color: #000000; font-size: 12pt;">Router</SPAN></P><P class="MsoNormal" style="margin: 0in 0in 10pt;"><SPAN style=": ; line-height: 115%; color: #000000; font-size: 10pt; sans-serif&quot;: ; font-family: &quot; , &quot;: ; Arial&quot;: ; ">router(config)#aaa authorization exec TEL GRoup radius local<BR />router(config)#line vty 0 15<BR />router(config-line)#authorization exec TEL<BR style="mso-special-character: line-break;" /><BR style="mso-special-character: line-break;" /></SPAN></P><P class="MsoNormal" style="margin: 0in 0in 10pt;"><SPAN style="font-family: Calibri; color: #000000; font-size: 12pt;">ACS</SPAN></P><P class="MsoNormal" style="margin: 0in 0in 10pt;"><SPAN style="font-family: Calibri; color: #000000; font-size: 12pt;">Interface configuration</SPAN></P><P class="MsoNormal" style="margin: 0in 0in 10pt;"><SPAN style="font-family: Calibri; color: #000000; font-size: 12pt;">Check<SPAN style="mso-spacerun: yes;">&nbsp; </SPAN>user &amp; group for cisco av-pair.</SPAN></P><P class="MsoNormal" style="margin: 0in 0in 10pt;"><SPAN style="color: #000000; font-size: 12pt; "><SPAN style="font-family: Calibri;">User setup </SPAN><SPAN style="mso-symbol-font-family: Wingdings; mso-char-type: symbol; mso-ascii-font-family: Calibri; mso-hansi-theme-font: minor-latin; font-family: Wingdings; mso-ascii-theme-font: minor-latin; mso-hansi-font-family: Calibri; ">à</SPAN><SPAN style="font-family: Calibri;"> cisco ios/pix 6.x radius attributes </SPAN><SPAN style="mso-symbol-font-family: Wingdings; mso-char-type: symbol; mso-ascii-font-family: Calibri; mso-hansi-theme-font: minor-latin; font-family: Wingdings; mso-ascii-theme-font: minor-latin; mso-hansi-font-family: Calibri; ">à</SPAN><SPAN style="font-family: Calibri;">cisco av-pair [ shell:priv-lvl=15]</SPAN></SPAN></P><P class="MsoNormal" style="margin: 0in 0in 10pt;"><SPAN style="font-family: Calibri; color: #000000; font-size: 12pt;">OR</SPAN></P><P class="MsoNormal" style="margin: 0in 0in 10pt;"><SPAN style="color: #000000; font-size: 12pt; "><SPAN style="font-family: Calibri;">Group setup </SPAN><SPAN style="mso-symbol-font-family: Wingdings; mso-char-type: symbol; mso-ascii-font-family: Calibri; mso-hansi-theme-font: minor-latin; font-family: Wingdings; mso-ascii-theme-font: minor-latin; mso-hansi-font-family: Calibri; ">à</SPAN><SPAN style="font-family: Calibri;"> ios/pix 6.x radius attributes </SPAN><SPAN style="mso-symbol-font-family: Wingdings; mso-char-type: symbol; mso-ascii-font-family: Calibri; mso-hansi-theme-font: minor-latin; font-family: Wingdings; mso-ascii-theme-font: minor-latin; mso-hansi-font-family: Calibri; ">à</SPAN><SPAN style="font-family: Calibri;"> shell:priv-lvl=15</SPAN></SPAN></P><P class="MsoNormal" style="margin: 0in 0in 10pt;"><SPAN style="font-family: Calibri; color: #000000; font-size: 12pt;">In case of radius if exec authorization is enabled<SPAN style="mso-spacerun: yes;">&nbsp; </SPAN>and if have not specified any privilege level in the ACS server. Then user will fall under the privilege level 1 and if enable authentication is enabled<SPAN style="mso-spacerun: yes;">&nbsp; </SPAN>or enable password is defined<SPAN style="mso-spacerun: yes;">&nbsp; </SPAN>on the router then we can go to enable mode by typing en or en <PRIV-LVL></PRIV-LVL></SPAN></P><P class="MsoNormal" style="margin: 0in 0in 10pt;">Regards,</P><P class="MsoNormal" style="margin: 0in 0in 10pt;">Anisha</P><P class="MsoNormal" style="margin: 0in 0in 10pt;">P.S.: please mark this thread as resolved if you think your query is answered.</P><P></P><P></P></BODY></HTML> Thu, 27 Jan 2011 15:03:49 GMT https://community.cisco.com/t5/network-access-control/username-with-privilege-level-15-bypass-enable/m-p/1633583#M257952 andamani 2011-01-27T15:03:49Z https://community.cisco.com/t5/network-access-control/username-with-privilege-level-15-bypass-enable/m-p/1633584#M257956 <HTML><HEAD></HEAD><BODY><P>Thanks guys!</P></BODY></HTML> Thu, 27 Jan 2011 23:17:41 GMT https://community.cisco.com/t5/network-access-control/username-with-privilege-level-15-bypass-enable/m-p/1633584#M257956 Difan Zhao 2011-01-27T23:17:41Z