Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2986
Views
0
Helpful
6
Replies

Cannot log in to switch straight to privileged exec mode

kostasthedelegate
Level 4
Level 4

‎12-11-2019 10:49 PM

Hello, 

 

I have a 2960x switch with 15.2(7)E0a ios. 

When I was logged in from ssh, I did not put enable password. It went straight to privileged mode. 

 

Then I configured some aaa commands to integrate with ISE. 

Then when I log on I must enter the enable password and I cannot find how to overcome this.

 

Any ideas?

 

Thanks and regards, 

Konstantinos

Labels:
0 Helpful
6 Replies 6

Seb Rupik
VIP Alumni
VIP Alumni

‎12-12-2019 01:00 AM - edited ‎12-12-2019 01:02 AM

Hi there,

Prior to the new AAA commands were you logging in using a local user account. If so, the user must have been configured with the privilege 15 parameter:

!
username foo privilege 15 secret xxx
!

If you are now using ISE for AAA then you will need to rerturn the shell parameter:

shell:priv-lvl=15

...as part of the accept response.

 

Take a look here, it is an old version of ISE but the theory is still correct:

https://cs7networks.co.uk/2016/11/20/cisco-ise-aaa-configuration-for-vty-logins/

 

cheers,

Seb.

0 Helpful

kostasthedelegate
Level 4
Level 4
In response to Seb Rupik

‎12-12-2019 10:24 PM

Hello Seb,

Yes, I use local accounts.
The fact is that I still use the local accounts for ssh to the switch. The ISE is for the endpoints.

Regards,
Konstantinos
0 Helpful

Seb Rupik
VIP Alumni
VIP Alumni
In response to kostasthedelegate

‎12-13-2019 03:38 AM

Can you share the following output:

sh run | inc aaa

sh run | beg line con

 

 

cheers,

Seb.

0 Helpful

kostasthedelegate
Level 4
Level 4
In response to Seb Rupik

‎12-16-2019 06:39 AM

Hello, 

Here is the output

 

aaa new-model

aaa group server radius ise-group
server name xxxx
server name xxxx

aaa authentication dot1x default group ise-group
aaa authorization network default group ise-group
aaa authorization network cts-list group ise-group
aaa authorization auth-proxy default group ise-group
aaa accounting update periodic 5
aaa accounting dot1x default start-stop group ise_group
aaa accounting system default start-stop group ise_group

aaa server radius dynamic-author
client xxxx server-key xxxx
client xxxx server-key xxxx
server-key xxxx
auth-type any

 

 

 

line con 0
logging synchronous

line vty 0 4
logging synchronous
login local
transport input ssh

 

Regards, 

Konstantinos

0 Helpful

Seb Rupik
VIP Alumni
VIP Alumni
In response to kostasthedelegate

‎12-16-2019 07:36 AM

Try adding the following:

!
aaa authentication login VTY_LOCAL local
aaa authorization exec EXEC_LOCAL local
!
line vty 0 4
  login authentication VTY_LOCAL
  authorization exec EXEC_LOCAL
!

cheers,

Seb.

0 Helpful

kostasthedelegate
Level 4
Level 4
In response to Seb Rupik

‎12-16-2019 10:28 PM

Hello Seb, 

 

I will try them!!

 

Thank you!!

Regards, 

Konstantinos

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card