cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2226
Views
43
Helpful
19
Replies

Cisco Router not using configured privilege level

agchapman
Beginner
Beginner

Hi all, (all names etc are changed)

One of our clients is using a 2811 with only one account configured, as such:

username bdmin privilege 15 secret wordpass

and the enable password configured, in the running-config as:

enable secret 5 $1$mE92$SKx0DXmiCyPIWI/170LJE1 

(I know this password, its just encrypted for accuracy)

"service password-encryption" has been turned on.

However, when logging in by telnet, using the bdmin username and password, I am dropped to a user mode prompt, not a Privileged. I have tried removing and re-adding the user account. It's the only one on the router, and removing the enable secret password just leaves me stuck in user mode.

I'm running 12.3(14)T5 code and can't work out for the life of me how to get a priv 15 user login working properly. Any ideas people?

Cheers!

1 Accepted Solution

Accepted Solutions

Hi Subeh,

I agree with you.

If aaa new-model is configured this should do the trick:

aaa authorization exec default local

Otherwise Paul solution would be ok too but with aaa new-model disabled.

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

View solution in original post

19 Replies 19

Rolf Fischer
Engager
Engager

Hi,

could you post the configuration of the line vtys?

Do you have "aaa new-model" enabled? If so, do you need AAA?

Regards

Rolf

Hi,

line vty config is:

line vty 0 4

exec-timeout 20 0

transport input telnet

line vty 5 15

exec-timeout 20 0

transport input telnet

aaa new-model has been activated, but there doesn't seem to be any aaa configured really.

Hi Alistair,

You have privilege 15 configured for username bdmin and hence you're been dropped at privilege mode. If you want to be dropped to user mode then try configuring privilege 1 instead of 15:

http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a008009465c.shtml

Regards,

Subeh

No, the problem is I am dropped to user mode, NOT privileged mode. I can only access privileged mode using the enable password, as I stated in the original topic.

Alistair,

Sorry, my bad. You mentioned about AAA being configured. Since there is no aaa configuration, have you tried logging in after doing 'no aaa new-model'? if yes, then what is the result?

Regards,

Subeh

have you tried logging in after doing 'no aaa new-model'?

Right, this should be the simplest solution.

That's why I asked for AAA.

Best regards

Rolf

Hello

"I am dropped to a user mode prompt, not a Privileged"

line vty 0 xx

login local

res

Paul

Please don't forget to rate any posts that have been helpful.

Thanks.


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

with AAA enable, you can't configure "login local".

Regards,

Subeh

@Subeth

According to the OP AAA isnt configured, so the reason why he is getting to exec mode is because he hasnt defined to use the local access credentials in vtty.

res

Paul

Please don't forget to rate any posts that have been helpful.

Thanks.


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

@pdriver

AAA is activated, due to which login local will not be available.

Regards,

Subeh

Hi Subeh,

I agree with you.

If aaa new-model is configured this should do the trick:

aaa authorization exec default local

Otherwise Paul solution would be ok too but with aaa new-model disabled.

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

If aaa new-model is configured but there are no aaa authentication configuration commands then the result is essentially the same as login local.

I agree with Alain that the issue is not about authentication but is about authorization.

And the other alternative is to not worry about authorization and just configure privilege-level 15 directly on the vty ports. Since there is only one user who will be able to login I see no problem in automatically putting users on vty directly into privilege mode.

HTH

Rick

HTH

Rick

Hello

@Richard - I dont think just adding privilege level 15 to the vty lines will work when default AAA is active

AAA needs to be either disabled and have the login local added to the vty lines or keep the aaa enabled  add aaa authentication login default local

res

Paul

Please don't forget to rate any posts that have been helpful.

Thanks.


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Hi Paul,

@Richard - I dont think just adding privilege level 15 to the vty lines will work when default AAA is active

I just labbed it and it works.

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers