Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
10464
Views
5
Helpful
3
Replies

Username with privilege level 15 bypass enable

Go to solution
Difan Zhao
Level 5
Level 5

‎01-26-2011 09:11 AM - edited ‎03-10-2019 05:45 PM

Hi experts,

I guess I never really understand the authentication process on Cisco routers and devices lol. Anyway I want users with privilege level 15 to be put in the enable mode right away after login without having to type in "enable" command and enable password. Users with other privilege levels will still be put in the EXEC mode.

AAA has to be enabled because I'm using it for 802.1x as well.

The privilege level eventually will be assigned by Radius server but right now the user is created locally on the switch. Right now I have:

aaa new-model

!

username admin privilege 15 secret 5 $1$2bdl$VIp53G4/zpo4f9aHh.t5v0
username cisco secret 5 $1$NGdD$ehTUzwappJFMxgA7tM/YW.
!

line vty 0 5
access-class 100 in
exec-timeout 30 0
logging synchronous
transport input ssh

And it's not working lol. No matter I log in with "admin" or "cisco" I'm put in EXEC mode... What do I have to do to achieve this?

Thanks!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee

‎01-26-2011 09:39 AM

On the cisco device issue the below listed command


aaa authorization exec default group radius local


On the radius server if its ACS or IAS

set the service type attribute like this

services-type=Administrative


doing this, user will be start landing in privelege exec mode #



Regards,

Jatin


Do rate helpful posts-

~Jatin

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee

‎01-26-2011 09:39 AM

On the cisco device issue the below listed command


aaa authorization exec default group radius local


On the radius server if its ACS or IAS

set the service type attribute like this

services-type=Administrative


doing this, user will be start landing in privelege exec mode #



Regards,

Jatin


Do rate helpful posts-

~Jatin
0 Helpful

Go to solution
andamani
Cisco Employee
Cisco Employee

‎01-27-2011 07:03 AM

Hi,

The with default keyword authorization will get applied on all the lines i.e. CONSOLE, VTY, AUX.

In case you want it for users who are trying to login to via ssh or telnet use the following:

EXEC AUTHORIZATION

Router

router(config)#aaa authorization exec TEL GRoup radius local
router(config)#line vty 0 15
router(config-line)#authorization exec TEL

ACS

Interface configuration

Check  user & group for cisco av-pair.

User setup à cisco ios/pix 6.x radius attributes àcisco av-pair [ shell:priv-lvl=15]

OR

Group setup à ios/pix 6.x radius attributes à shell:priv-lvl=15

In case of radius if exec authorization is enabled  and if have not specified any privilege level in the ACS server. Then user will fall under the privilege level 1 and if enable authentication is enabled  or enable password is defined  on the router then we can go to enable mode by typing en or en

Regards,

Anisha

P.S.: please mark this thread as resolved if you think your query is answered.

Go to solution
Difan Zhao
Level 5
Level 5

‎01-27-2011 03:17 PM

Thanks guys!

0 Helpful
Customers Also Viewed These Support Documents