Solved: Cisco Router not using configured privilege level

agchapman · ‎05-22-2013

Hi all, (all names etc are changed)

One of our clients is using a 2811 with only one account configured, as such:

username bdmin privilege 15 secret wordpass

and the enable password configured, in the running-config as:

enable secret 5 $1$mE92$SKx0DXmiCyPIWI/170LJE1

(I know this password, its just encrypted for accuracy)

"service password-encryption" has been turned on.

However, when logging in by telnet, using the bdmin username and password, I am dropped to a user mode prompt, not a Privileged. I have tried removing and re-adding the user account. It's the only one on the router, and removing the enable secret password just leaves me stuck in user mode.

I'm running 12.3(14)T5 code and can't work out for the life of me how to get a priv 15 user login working properly. Any ideas people?

Cheers!

cadet alain · ‎05-23-2013

Hi Subeh,

I agree with you.

If aaa new-model is configured this should do the trick:

aaa authorization exec default local

Otherwise Paul solution would be ok too but with aaa new-model disabled.

Regards

Alain

Don't forget to rate helpful posts.

View solution in original post

Rolf Fischer · ‎05-22-2013

Hi,

could you post the configuration of the line vtys?

Do you have "aaa new-model" enabled? If so, do you need AAA?

Regards

Rolf

agchapman · ‎05-22-2013

Hi,

line vty config is:

line vty 0 4

exec-timeout 20 0

transport input telnet

line vty 5 15

exec-timeout 20 0

transport input telnet

aaa new-model has been activated, but there doesn't seem to be any aaa configured really.

Subeh Sharma · ‎05-23-2013

Hi Alistair,

You have privilege 15 configured for username bdmin and hence you're been dropped at privilege mode. If you want to be dropped to user mode then try configuring privilege 1 instead of 15:

http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a008009465c.shtml

Regards,

Subeh

agchapman · ‎05-23-2013

No, the problem is I am dropped to user mode, NOT privileged mode. I can only access privileged mode using the enable password, as I stated in the original topic.

Subeh Sharma · ‎05-23-2013

Alistair,

Sorry, my bad. You mentioned about AAA being configured. Since there is no aaa configuration, have you tried logging in after doing 'no aaa new-model'? if yes, then what is the result?

Regards,

Subeh

Rolf Fischer · ‎05-23-2013

have you tried logging in after doing 'no aaa new-model'?

Right, this should be the simplest solution.

That's why I asked for AAA.

Best regards

Rolf

paul driver · ‎05-23-2013

Hello

"I am dropped to a user mode prompt, not a Privileged"

line vty 0 xx

login local

res

Paul

Please don't forget to rate any posts that have been helpful.

Thanks.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Subeh Sharma · ‎05-23-2013

with AAA enable, you can't configure "login local".

Regards,

Subeh

paul driver · ‎05-23-2013

@Subeth

According to the OP AAA isnt configured, so the reason why he is getting to exec mode is because he hasnt defined to use the local access credentials in vtty.

res

Paul

Please don't forget to rate any posts that have been helpful.

Thanks.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Subeh Sharma · ‎05-23-2013

@pdriver

AAA is activated, due to which login local will not be available.

Regards,

Subeh

cadet alain · ‎05-23-2013

Hi Subeh,

I agree with you.

If aaa new-model is configured this should do the trick:

aaa authorization exec default local

Otherwise Paul solution would be ok too but with aaa new-model disabled.

Regards

Alain

Don't forget to rate helpful posts.

Richard Burts · ‎05-23-2013

If aaa new-model is configured but there are no aaa authentication configuration commands then the result is essentially the same as login local.

I agree with Alain that the issue is not about authentication but is about authorization.

And the other alternative is to not worry about authorization and just configure privilege-level 15 directly on the vty ports. Since there is only one user who will be able to login I see no problem in automatically putting users on vty directly into privilege mode.

HTH

Rick

HTH

Rick

paul driver · ‎05-23-2013

Hello

@Richard - I dont think just adding privilege level 15 to the vty lines will work when default AAA is active

AAA needs to be either disabled and have the login local added to the vty lines or keep the aaa enabled add aaa authentication login default local

res

Paul

Please don't forget to rate any posts that have been helpful.

Thanks.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

cadet alain · ‎05-23-2013

Hi Paul,

@Richard - I dont think just adding privilege level 15 to the vty lines will work when default AAA is active

I just labbed it and it works.

Regards

Alain

Don't forget to rate helpful posts.