cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1152
Views
43
Helpful
19
Replies
Highlighted
Beginner

Cisco Router not using configured privilege level

Hi all, (all names etc are changed)

One of our clients is using a 2811 with only one account configured, as such:

username bdmin privilege 15 secret wordpass

and the enable password configured, in the running-config as:

enable secret 5 $1$mE92$SKx0DXmiCyPIWI/170LJE1 

(I know this password, its just encrypted for accuracy)

"service password-encryption" has been turned on.

However, when logging in by telnet, using the bdmin username and password, I am dropped to a user mode prompt, not a Privileged. I have tried removing and re-adding the user account. It's the only one on the router, and removing the enable secret password just leaves me stuck in user mode.

I'm running 12.3(14)T5 code and can't work out for the life of me how to get a priv 15 user login working properly. Any ideas people?

Cheers!

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

Hi Subeh,

I agree with you.

If aaa new-model is configured this should do the trick:

aaa authorization exec default local

Otherwise Paul solution would be ok too but with aaa new-model disabled.

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

View solution in original post

19 REPLIES 19
Highlighted
Engager

Hi,

could you post the configuration of the line vtys?

Do you have "aaa new-model" enabled? If so, do you need AAA?

Regards

Rolf

Highlighted

Hi,

line vty config is:

line vty 0 4

exec-timeout 20 0

transport input telnet

line vty 5 15

exec-timeout 20 0

transport input telnet

aaa new-model has been activated, but there doesn't seem to be any aaa configured really.

Highlighted

Hi Alistair,

You have privilege 15 configured for username bdmin and hence you're been dropped at privilege mode. If you want to be dropped to user mode then try configuring privilege 1 instead of 15:

http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a008009465c.shtml

Regards,

Subeh

Highlighted

No, the problem is I am dropped to user mode, NOT privileged mode. I can only access privileged mode using the enable password, as I stated in the original topic.

Highlighted

Alistair,

Sorry, my bad. You mentioned about AAA being configured. Since there is no aaa configuration, have you tried logging in after doing 'no aaa new-model'? if yes, then what is the result?

Regards,

Subeh

Highlighted

have you tried logging in after doing 'no aaa new-model'?

Right, this should be the simplest solution.

That's why I asked for AAA.

Best regards

Rolf

Highlighted

Hello

"I am dropped to a user mode prompt, not a Privileged"

line vty 0 xx

login local

res

Paul

Please don't forget to rate any posts that have been helpful.

Thanks.



kind regards
Paul

Please rate and mark posts accordingly if you have found any of the information provided useful.
It will hopefully assist others with similar issues in the future
Highlighted

with AAA enable, you can't configure "login local".

Regards,

Subeh

Highlighted

@Subeth

According to the OP AAA isnt configured, so the reason why he is getting to exec mode is because he hasnt defined to use the local access credentials in vtty.

res

Paul

Please don't forget to rate any posts that have been helpful.

Thanks.



kind regards
Paul

Please rate and mark posts accordingly if you have found any of the information provided useful.
It will hopefully assist others with similar issues in the future
Highlighted

@pdriver

AAA is activated, due to which login local will not be available.

Regards,

Subeh

Highlighted

Hi Subeh,

I agree with you.

If aaa new-model is configured this should do the trick:

aaa authorization exec default local

Otherwise Paul solution would be ok too but with aaa new-model disabled.

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

View solution in original post

Highlighted

If aaa new-model is configured but there are no aaa authentication configuration commands then the result is essentially the same as login local.

I agree with Alain that the issue is not about authentication but is about authorization.

And the other alternative is to not worry about authorization and just configure privilege-level 15 directly on the vty ports. Since there is only one user who will be able to login I see no problem in automatically putting users on vty directly into privilege mode.

HTH

Rick

HTH

Rick
Highlighted

Hello

@Richard - I dont think just adding privilege level 15 to the vty lines will work when default AAA is active

AAA needs to be either disabled and have the login local added to the vty lines or keep the aaa enabled  add aaa authentication login default local

res

Paul

Please don't forget to rate any posts that have been helpful.

Thanks.



kind regards
Paul

Please rate and mark posts accordingly if you have found any of the information provided useful.
It will hopefully assist others with similar issues in the future
Highlighted

Hi Paul,

@Richard - I dont think just adding privilege level 15 to the vty lines will work when default AAA is active

I just labbed it and it works.

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.