Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
42579
Views
15
Helpful
10
Replies

Privilege level 15 isn't working for user

Go to solution
Pankaj Raj
Level 1
Level 1

‎10-27-2014 05:53 AM - edited ‎03-05-2019 12:02 AM

Hi Friends,

 

There is a router, where a user is configured with privilege level 15. But while trying to access that router with that username, router is being connected on user exec mode (Privilege level 1) rather than connecting to Privileged exec mode (Privilege level 15) & hence that user needs to use enable password to go on Privilege level 15.

Version & user related configurations of the router are here below. Plz let me know if you need any more detail for your reference. Need your help plz to rectify this.

 

Cisco IOS Software, 3800 Software (C3845-SPSERVICESK9-M), Version 12.4(20)T3, RELEASE SOFTWARE (fc2)

 

enable secret 5 XXXXXXXXXXXXXXXXXXXX

username cisco privilege 15 secret 5 XXXXXXXXXXXXXXXXXXXX

username telnett12 password 7 XXXXXXXXXXXXXXXXXXXX

line vty 0 4
 session-timeout 240
 password 7 XXXXXXXXXXXXXXXXXXXX
 transport input telnet rlogin ssh
line vty 5 15
 session-timeout 240
 password 7 XXXXXXXXXXXXXXXXXXXX
 transport input all

 

 

Here, telnett12 & cisco, both users connect the router with Privilege level 1, whereas cisco should have connected with privilege level 15.

Thanks in Advance!! :)

1 person had this problem
Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Aref Alsouqi
VIP
VIP

‎10-28-2014 07:05 AM

Hi Pankaj,

 

Login local command would be used only if aaa new model is disabled, but when aaa new model is enabled you should use "login authentication default" which is enabled by default when aaa new model is enabled.

You would grant the access to privileged 15 mode to any user (not only for privileged 15 users) logged in via vty by applying similar configs:

 

aaa new-model
aaa authentication login default local

line vty 0 4
 login authentication default
 privilege level 15

 

Regards,

Aref

View solution in original post

0 Helpful

Go to solution
Aref Alsouqi
VIP
VIP
In response to Pankaj Raj

‎10-29-2014 03:18 AM

You are very welcome Pankaj.

 

Sure, you should apply authorization along to the authentication and remove the "privilege level 15" command from vty lines. The following configs should do that for you:

 

aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
username priv15 privilege 15 secret xxxxxxxxxx
username priv1 secret xxxxxxxxxx
username priv7 privilege 7 secret xxxxxxxxxx
!
line vty 0 4
 login authentication default
 default authorization exec
 no privilege level 15


Now let's try to login with those three users which have different privilege levels and check the privilege level after the successful login with the command "sh priv":

login as: priv15
Using keyboard-interactive authentication.
Password:

Router#sh pri
Current privilege level is 15


login as: priv1
Using keyboard-interactive authentication.
Password:

Router>sh priv
Current privilege level is 1


login as: priv7
Using keyboard-interactive authentication.
Password:

Router#sh privilege
Current privilege level is 7

 

As you can see, each user is logged in now with its privilege level, so each user would be able to execute only the commands tied to its privilege level, but you would do still be able to prevent a user from executing a command of its privilege level by changing that command privilege exec level, example, if you don't want to allow the users with privilege level below privilege level 8 to execute the "show" command you would do it this way:

 

privilege exec level 8 show

 

Now that command is being authorized, so when a user with a privilege level below level 8 logged in and try to execute the "show" command it would not be able to, and an error message similar to this would be returned:

Router#sh priv
               ^
% Invalid input detected at '^' marker.

 

Router#sh ip route
               ^
% Invalid input detected at '^' marker.

Router#

 

Regards,

Aref

View solution in original post

10 Replies 10

Go to solution
vishal vyas
Level 1
Level 1

‎10-27-2014 10:19 AM

Please configure logging local under line vty config.

0 Helpful

Go to solution
Pankaj Raj
Level 1
Level 1
In response to vishal vyas

‎10-28-2014 12:31 AM

Hi Vishal,

Thanks for the response. This router doesn't support "login local" command. Available commends are here below for your reference. Can you plz support further on this..

 

dcnrtr5(config-line)#login ?
  authentication  Authentication parameters.
  ctrlc-disable   Disable CONTROL-C during login.

dcnrtr5(config-line)#

 

 

Just to add one more thing. I'm able to login to router with the user cisco & its password. But its connecting to user mode (Router> prompt), whereas due to privilege level 15, it should connect to privileged exec mode (Router# Prompt). 

Now I'm just thinking, if Login local isn't configurable, how the users are working. Because as far as I know, users work after configuring "Login Local" commands. I'm not sure, but it may be somewhere related to AAA also. I really need the expert's support here to understand this plz..

AAA Configuration is here below.

aaa new-model
aaa session-id common

0 Helpful

Go to solution
Aref Alsouqi
VIP
VIP

‎10-28-2014 07:05 AM

Hi Pankaj,

 

Login local command would be used only if aaa new model is disabled, but when aaa new model is enabled you should use "login authentication default" which is enabled by default when aaa new model is enabled.

You would grant the access to privileged 15 mode to any user (not only for privileged 15 users) logged in via vty by applying similar configs:

 

aaa new-model
aaa authentication login default local

line vty 0 4
 login authentication default
 privilege level 15

 

Regards,

Aref

0 Helpful

Go to solution
Pankaj Raj
Level 1
Level 1
In response to Aref Alsouqi

‎10-29-2014 12:53 AM

Hi Aref,

 

Thanks for the detailed support. It worked as you said.

Although I have to use different users with different privilege level, hence I've currently disabled AAA, so that all users can use their respective privilege level.

 

Further to this, plz let me know if there is any solution for this scenario that if AAA is enabled & local users are required to be granted with different levels..

 

Thanks....... Pankaj Raj

0 Helpful

Go to solution
Aref Alsouqi
VIP
VIP
In response to Pankaj Raj

‎10-29-2014 03:18 AM

You are very welcome Pankaj.

 

Sure, you should apply authorization along to the authentication and remove the "privilege level 15" command from vty lines. The following configs should do that for you:

 

aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
username priv15 privilege 15 secret xxxxxxxxxx
username priv1 secret xxxxxxxxxx
username priv7 privilege 7 secret xxxxxxxxxx
!
line vty 0 4
 login authentication default
 default authorization exec
 no privilege level 15


Now let's try to login with those three users which have different privilege levels and check the privilege level after the successful login with the command "sh priv":

login as: priv15
Using keyboard-interactive authentication.
Password:

Router#sh pri
Current privilege level is 15


login as: priv1
Using keyboard-interactive authentication.
Password:

Router>sh priv
Current privilege level is 1


login as: priv7
Using keyboard-interactive authentication.
Password:

Router#sh privilege
Current privilege level is 7

 

As you can see, each user is logged in now with its privilege level, so each user would be able to execute only the commands tied to its privilege level, but you would do still be able to prevent a user from executing a command of its privilege level by changing that command privilege exec level, example, if you don't want to allow the users with privilege level below privilege level 8 to execute the "show" command you would do it this way:

 

privilege exec level 8 show

 

Now that command is being authorized, so when a user with a privilege level below level 8 logged in and try to execute the "show" command it would not be able to, and an error message similar to this would be returned:

Router#sh priv
               ^
% Invalid input detected at '^' marker.

 

Router#sh ip route
               ^
% Invalid input detected at '^' marker.

Router#

 

Regards,

Aref

Go to solution
Pankaj Raj
Level 1
Level 1
In response to Aref Alsouqi

‎10-29-2014 04:48 AM

Hey Aref,

That's great.. It helped me a lot, specially the explanation. Things are as per expectation now..

Regards........ Pankaj Raj

0 Helpful

Go to solution
Aref Alsouqi
VIP
VIP
In response to Pankaj Raj

‎10-29-2014 07:08 AM

Glad I could be of help man.

 

Regards,

Aref

0 Helpful

Go to solution
MJ666
Level 1
Level 1
In response to Aref Alsouqi

‎05-12-2024 11:35 PM

Hi @Pankaj Raj, on my Cisco IE-3300-8T2X, I am not able to access the privilege mode."sys-5-priv_auth_fail authentication to privilege level 15 failed" is the message that I receive.  I havent configure any account on the Switch. Is there a way to overcome this situation? Thank you  

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to MJ666

‎05-12-2024 11:37 PM

Make new post 

And share config you use 

MHM

0 Helpful

Go to solution
MJ666
Level 1
Level 1
In response to MHM Cisco World

‎05-12-2024 11:40 PM

@MHM Cisco World  Id like to, but I dont have access to the privilege mode:(

When I enter Switch>enable, it returns "sys-5-priv_auth_fail authentication to privilege level 15 failed"

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card