Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3203
Views
43
Helpful
19
Replies

Cisco Router not using configured privilege level

Go to solution
agchapman
Level 1
Level 1

‎05-22-2013 10:30 PM - edited ‎03-04-2019 07:59 PM

Hi all, (all names etc are changed)

One of our clients is using a 2811 with only one account configured, as such:

username bdmin privilege 15 secret wordpass

and the enable password configured, in the running-config as:

enable secret 5 $1$mE92$SKx0DXmiCyPIWI/170LJE1 

(I know this password, its just encrypted for accuracy)

"service password-encryption" has been turned on.

However, when logging in by telnet, using the bdmin username and password, I am dropped to a user mode prompt, not a Privileged. I have tried removing and re-adding the user account. It's the only one on the router, and removing the enable secret password just leaves me stuck in user mode.

I'm running 12.3(14)T5 code and can't work out for the life of me how to get a priv 15 user login working properly. Any ideas people?

Cheers!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
cadet alain
VIP Alumni
VIP Alumni
In response to Subeh Sharma

‎05-23-2013 02:40 AM

Hi Subeh,

I agree with you.

If aaa new-model is configured this should do the trick:

aaa authorization exec default local

Otherwise Paul solution would be ok too but with aaa new-model disabled.

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

View solution in original post

0 Helpful
19 Replies 19

Go to solution
Rolf Fischer
Level 9
Level 9

‎05-22-2013 11:25 PM

Hi,

could you post the configuration of the line vtys?

Do you have "aaa new-model" enabled? If so, do you need AAA?

Regards

Rolf

Go to solution
agchapman
Level 1
Level 1
In response to Rolf Fischer

‎05-22-2013 11:50 PM

Hi,

line vty config is:

line vty 0 4
 exec-timeout 20 0
 transport input telnet
line vty 5 15
 exec-timeout 20 0
 transport input telnet

aaa new-model has been activated, but there doesn't seem to be any aaa configured really.

0 Helpful

Go to solution
Subeh Sharma
Level 1
Level 1
In response to agchapman

‎05-23-2013 12:02 AM

Hi Alistair,

You have privilege 15 configured for username bdmin and hence you're been dropped at privilege mode. If you want to be dropped to user mode then try configuring privilege 1 instead of 15:

http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a008009465c.shtml

Regards,

Subeh

0 Helpful

Go to solution
agchapman
Level 1
Level 1
In response to Subeh Sharma

‎05-23-2013 12:03 AM

No, the problem is I am dropped to user mode, NOT privileged mode. I can only access privileged mode using the enable password, as I stated in the original topic.

0 Helpful

Go to solution
Subeh Sharma
Level 1
Level 1
In response to agchapman

‎05-23-2013 12:42 AM

Alistair,

Sorry, my bad. You mentioned about AAA being configured. Since there is no aaa configuration, have you tried logging in after doing 'no aaa new-model'? if yes, then what is the result?

Regards,

Subeh

Go to solution
Rolf Fischer
Level 9
Level 9
In response to Subeh Sharma

‎05-23-2013 12:54 AM 

have you tried logging in after doing 'no aaa new-model'?

Right, this should be the simplest solution.

That's why I asked for AAA.

Best regards

Rolf

0 Helpful

Go to solution
paul driver
VIP
VIP
In response to Rolf Fischer

‎05-23-2013 01:28 AM

Hello

"I am dropped to a user mode prompt, not a Privileged"

line vty 0 xx

login local

res

Paul

Please don't forget to rate any posts that have been helpful.

Thanks.


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

Go to solution
Subeh Sharma
Level 1
Level 1
In response to paul driver

‎05-23-2013 02:00 AM

with AAA enable, you can't configure "login local".

Regards,

Subeh

0 Helpful

Go to solution
paul driver
VIP
VIP
In response to Subeh Sharma

‎05-23-2013 02:06 AM

@Subeth

According to the OP AAA isnt configured, so the reason why he is getting to exec mode is because he hasnt defined to use the local access credentials in vtty.

res

Paul

Please don't forget to rate any posts that have been helpful.

Thanks.


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Go to solution
Subeh Sharma
Level 1
Level 1
In response to paul driver

‎05-23-2013 02:11 AM

@pdriver

AAA is activated, due to which login local will not be available.

Regards,

Subeh

Go to solution
cadet alain
VIP Alumni
VIP Alumni
In response to Subeh Sharma

‎05-23-2013 02:40 AM

Hi Subeh,

I agree with you.

If aaa new-model is configured this should do the trick:

aaa authorization exec default local

Otherwise Paul solution would be ok too but with aaa new-model disabled.

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to cadet alain

‎05-23-2013 05:19 AM

If aaa new-model is configured but there are no aaa authentication configuration commands then the result is essentially the same as login local.

I agree with Alain that the issue is not about authentication but is about authorization.

And the other alternative is to not worry about authorization and just configure privilege-level 15 directly on the vty ports. Since there is only one user who will be able to login I see no problem in automatically putting users on vty directly into privilege mode.

HTH

Rick

HTH

Rick

Go to solution
paul driver
VIP
VIP
In response to Richard Burts

‎05-23-2013 05:51 AM

Hello

@Richard - I dont think just adding privilege level 15 to the vty lines will work when default AAA is active

AAA needs to be either disabled and have the login local added to the vty lines or keep the aaa enabled  add aaa authentication login default local

res

Paul

Please don't forget to rate any posts that have been helpful.

Thanks.


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Go to solution
cadet alain
VIP Alumni
VIP Alumni
In response to paul driver

‎05-23-2013 05:59 AM

Hi Paul,

@Richard - I dont think just adding privilege level 15 to the vty lines will work when default AAA is active

I just labbed it and it works.

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card