Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3392
Views
0
Helpful
5
Replies

Use aaa for enable prompt?

Go to solution
DynDarako
Level 1
Level 1

‎09-23-2011 07:30 AM - edited ‎03-10-2019 06:26 PM

Hello,

Currently, I dont know how to have many users with different password. My switches are 2960-S.

aaa configuration:

aaa new-model

aaa authentication login default local

user:

username scd privilege 15 secret 5 $1$

username opst privilege 15 secret 5 $1$

username read privilege 7 secret 5 $1$

When i try to connect to my switch, I enter my username and my password, but I am not in enable mode then I enter enable but the switch doesnt ask me a password. It's not a problem with a personal username, but it's the same thing with a common username like read...

I try to enter this command:

"Enable secret <mypassword>"

In this case, all users must enter mypassword ! How to be enable with user's password with local base?

best regards,

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
andressalazard
Level 1
Level 1

‎09-27-2011 06:40 PM

Here is another option:

We are half way to make this work. You already have authentication happening locally; we should be able to attach the user authentication to the assigned privilege by using authorization.

aaa new-model

aaa authentication login default local

aaa authorization exec default local <<< Once you add this the Switch will place the new authenticated user into the correct Privilege level.

The users will not be prompt for the enable password, but will jump directly into the enable mode. You could confirm the privilege level assigned to the user with the show priv command.

The original enable password/secret would still be there, if you allow users access to the enable command, then they can still jump into the Full Privilege Enable mode (15). This can be avoided by giving the users a lower privilege level, then moving the enable command up to a higher privilege level.

I don't have a switch with me at this moment to test the cli, but I think the command to change the privilege would be:


Switch(config)#privilege exec level X enable

where X is the new privilege evel. Of course the junior user should be in a lower level in order to not reach the command.

HTH,

Did you find this post helpful?

View solution in original post

0 Helpful
5 Replies 5

Go to solution
jliscano
Level 1
Level 1

‎09-27-2011 05:03 PM

Hi -

I believe you can setup levels on the enable command.  Here's the link: http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/scfpass.html#wp1001368.  Read the 3rd paragraph from the bottom of "Protecting Passwords with Enable Password and Enable Secret" topic.

Hope this helps.

0 Helpful

Go to solution
andressalazard
Level 1
Level 1

‎09-27-2011 06:40 PM

Here is another option:

We are half way to make this work. You already have authentication happening locally; we should be able to attach the user authentication to the assigned privilege by using authorization.

aaa new-model

aaa authentication login default local

aaa authorization exec default local <<< Once you add this the Switch will place the new authenticated user into the correct Privilege level.

The users will not be prompt for the enable password, but will jump directly into the enable mode. You could confirm the privilege level assigned to the user with the show priv command.

The original enable password/secret would still be there, if you allow users access to the enable command, then they can still jump into the Full Privilege Enable mode (15). This can be avoided by giving the users a lower privilege level, then moving the enable command up to a higher privilege level.

I don't have a switch with me at this moment to test the cli, but I think the command to change the privilege would be:


Switch(config)#privilege exec level X enable

where X is the new privilege evel. Of course the junior user should be in a lower level in order to not reach the command.

HTH,

Did you find this post helpful?

0 Helpful

Go to solution
DynDarako
Level 1
Level 1
In response to andressalazard

‎09-29-2011 12:53 AM

HI,

Thanks for your post.

I show my aaa configuration:

aaa authentication login default local

aaa authorization console

aaa authorization exec default local

After, i try to enter your command:

privilege exec level 15 enable

But it doesnt work! Indeed, after my connection, i enter this command:

show privilege

Current privilege level is 1

Whereas in my configuraiton my user is level 15...

0 Helpful

Go to solution
cadet alain
VIP Alumni
VIP Alumni
In response to DynDarako

‎09-29-2011 08:24 AM

Hi,

why don't you just do this:

aaa authentication enable default local

Regards.

Alain.

Don't forget to rate helpful posts.
0 Helpful

Go to solution
DynDarako
Level 1
Level 1
In response to cadet alain

‎09-30-2011 03:25 AM

Hi,

This command doesn't exist in my IOS...

aaa authentication enable default local

                                                 ^

% Invalid input detected at '^' marker.

My choices are:

  cache   Use Cached-group

  enable  Use enable password for authentication.

  group   Use Server-group

  line    Use line password for authentication.

  none    NO authentication.

No option solves the problem.

Best regards,

0 Helpful
Customers Also Viewed These Support Documents