cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
39454
Views
15
Helpful
7
Replies

Privilege level 15 isn't working for user

Pankaj Raj
Level 1
Level 1

Hi Friends,

 

There is a router, where a user is configured with privilege level 15. But while trying to access that router with that username, router is being connected on user exec mode (Privilege level 1) rather than connecting to Privileged exec mode (Privilege level 15) & hence that user needs to use enable password to go on Privilege level 15.

Version & user related configurations of the router are here below. Plz let me know if you need any more detail for your reference. Need your help plz to rectify this.

 

Cisco IOS Software, 3800 Software (C3845-SPSERVICESK9-M), Version 12.4(20)T3, RELEASE SOFTWARE (fc2)

 

enable secret 5 XXXXXXXXXXXXXXXXXXXX

username cisco privilege 15 secret 5 XXXXXXXXXXXXXXXXXXXX

username telnett12 password 7 XXXXXXXXXXXXXXXXXXXX

line vty 0 4
 session-timeout 240
 password 7 XXXXXXXXXXXXXXXXXXXX
 transport input telnet rlogin ssh
line vty 5 15
 session-timeout 240
 password 7 XXXXXXXXXXXXXXXXXXXX
 transport input all

 

 

Here, telnett12 & cisco, both users connect the router with Privilege level 1, whereas cisco should have connected with privilege level 15.

Thanks in Advance!! :)

2 Accepted Solutions

Accepted Solutions

Hi Pankaj,

 

Login local command would be used only if aaa new model is disabled, but when aaa new model is enabled you should use "login authentication default" which is enabled by default when aaa new model is enabled.

You would grant the access to privileged 15 mode to any user (not only for privileged 15 users) logged in via vty by applying similar configs:

 

aaa new-model
aaa authentication login default local

line vty 0 4
 login authentication default
 privilege level 15

 

Regards,

Aref

View solution in original post

You are very welcome Pankaj.

 

Sure, you should apply authorization along to the authentication and remove the "privilege level 15" command from vty lines. The following configs should do that for you:

 

aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
username priv15 privilege 15 secret xxxxxxxxxx
username priv1 secret xxxxxxxxxx
username priv7 privilege 7 secret xxxxxxxxxx
!
line vty 0 4
 login authentication default
 default authorization exec
 no privilege level 15


Now let's try to login with those three users which have different privilege levels and check the privilege level after the successful login with the command "sh priv":

login as: priv15
Using keyboard-interactive authentication.
Password:

Router#sh pri
Current privilege level is 15


login as: priv1
Using keyboard-interactive authentication.
Password:

Router>sh priv
Current privilege level is 1


login as: priv7
Using keyboard-interactive authentication.
Password:

Router#sh privilege
Current privilege level is 7

 

As you can see, each user is logged in now with its privilege level, so each user would be able to execute only the commands tied to its privilege level, but you would do still be able to prevent a user from executing a command of its privilege level by changing that command privilege exec level, example, if you don't want to allow the users with privilege level below privilege level 8 to execute the "show" command you would do it this way:

 

privilege exec level 8 show

 

Now that command is being authorized, so when a user with a privilege level below level 8 logged in and try to execute the "show" command it would not be able to, and an error message similar to this would be returned:

Router#sh priv
               ^
% Invalid input detected at '^' marker.

 

Router#sh ip route
               ^
% Invalid input detected at '^' marker.

Router#

 

Regards,

Aref

View solution in original post

7 Replies 7

vishal vyas
Level 1
Level 1

Please configure logging local under line vty config.

Hi Vishal,

Thanks for the response. This router doesn't support "login local" command. Available commends are here below for your reference. Can you plz support further on this..

 

dcnrtr5(config-line)#login ?
  authentication  Authentication parameters.
  ctrlc-disable   Disable CONTROL-C during login.

dcnrtr5(config-line)#

 

 

Just to add one more thing. I'm able to login to router with the user cisco & its password. But its connecting to user mode (Router> prompt), whereas due to privilege level 15, it should connect to privileged exec mode (Router# Prompt). 

Now I'm just thinking, if Login local isn't configurable, how the users are working. Because as far as I know, users work after configuring "Login Local" commands. I'm not sure, but it may be somewhere related to AAA also. I really need the expert's support here to understand this plz..

AAA Configuration is here below.

aaa new-model
aaa session-id common

Hi Pankaj,

 

Login local command would be used only if aaa new model is disabled, but when aaa new model is enabled you should use "login authentication default" which is enabled by default when aaa new model is enabled.

You would grant the access to privileged 15 mode to any user (not only for privileged 15 users) logged in via vty by applying similar configs:

 

aaa new-model
aaa authentication login default local

line vty 0 4
 login authentication default
 privilege level 15

 

Regards,

Aref

Hi Aref,

 

Thanks for the detailed support. It worked as you said.

Although I have to use different users with different privilege level, hence I've currently disabled AAA, so that all users can use their respective privilege level.

 

Further to this, plz let me know if there is any solution for this scenario that if AAA is enabled & local users are required to be granted with different levels..

 

Thanks....... Pankaj Raj

You are very welcome Pankaj.

 

Sure, you should apply authorization along to the authentication and remove the "privilege level 15" command from vty lines. The following configs should do that for you:

 

aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
username priv15 privilege 15 secret xxxxxxxxxx
username priv1 secret xxxxxxxxxx
username priv7 privilege 7 secret xxxxxxxxxx
!
line vty 0 4
 login authentication default
 default authorization exec
 no privilege level 15


Now let's try to login with those three users which have different privilege levels and check the privilege level after the successful login with the command "sh priv":

login as: priv15
Using keyboard-interactive authentication.
Password:

Router#sh pri
Current privilege level is 15


login as: priv1
Using keyboard-interactive authentication.
Password:

Router>sh priv
Current privilege level is 1


login as: priv7
Using keyboard-interactive authentication.
Password:

Router#sh privilege
Current privilege level is 7

 

As you can see, each user is logged in now with its privilege level, so each user would be able to execute only the commands tied to its privilege level, but you would do still be able to prevent a user from executing a command of its privilege level by changing that command privilege exec level, example, if you don't want to allow the users with privilege level below privilege level 8 to execute the "show" command you would do it this way:

 

privilege exec level 8 show

 

Now that command is being authorized, so when a user with a privilege level below level 8 logged in and try to execute the "show" command it would not be able to, and an error message similar to this would be returned:

Router#sh priv
               ^
% Invalid input detected at '^' marker.

 

Router#sh ip route
               ^
% Invalid input detected at '^' marker.

Router#

 

Regards,

Aref

Hey Aref,

That's great.. It helped me a lot, specially the explanation. Things are as per expectation now..

Regards........ Pankaj Raj

Glad I could be of help man.

 

Regards,

Aref

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: