Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
660
Views
10
Helpful
6
Replies

login local only getting privilege 1

rsnook
Level 1
Level 1

‎05-28-2008 07:14 PM - edited ‎03-05-2019 11:17 PM

have other devices that are working just fine. but can't figure why this one will log user in, but only at privilege 1 - requires enable password. other devices will allow login directly to privilege 15. the only thing i can see is the 'enable secret' is listed on this one. if i no enable secret, i can't get past privilege 1. i know this is going to be something stupid i did... help.

below is snippet of config

c3560-advipservicesk9-mz.122-44.SE

no service password-encryption

!

enable secret 5 XXXXXX

!

username XXXXXX privilege 15 secret 5 XXXXXX

username XXXXXX privilege 15 secret 5 XXXXXX

username XXXXXX privilege 15 secret 5 XXXXXX

no aaa new-model

!

line con 0

login local

line vty 0 4

login local

transport preferred ssh

transport input ssh

line vty 5 15

no login

transport preferred ssh

transport input ssh

Labels:
0 Helpful
6 Replies 6

Edison Ortiz
Hall of Fame
Hall of Fame

‎05-28-2008 08:04 PM

"c3560-advipservicesk9-mz.122-44.SE"

This code has some authentication issues. I suggest going with SE1 or use the same code the other switches are running.

__

Edison.

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to Edison Ortiz

‎05-29-2008 03:21 AM

Robert

It does not deal with your main question about authenticating to privilege level 15, but I would like to comment about something else. In your config you have this:

line vty 5 15

no login

Would I be correct in assuming that the no login was intended to keep people from logging in on these vty lines? It seems very logical that this would work for that purpose but it does not. When you configure no login all it does is allow someone to establish a session without needing any password. If you want to prevent use of these vty lines you should configure no exec (or perhaps no transport input).

HTH

Rick

HTH

Rick

michael.leblanc
Level 4
Level 4
In response to Richard Burts

‎05-29-2008 10:37 AM

Nice catch Rick.

Rated - 5

0 Helpful

rsnook
Level 1
Level 1
In response to Richard Burts

‎05-29-2008 11:31 AM

learn something new every day - thanks!

0 Helpful

rsnook
Level 1
Level 1
In response to Edison Ortiz

‎05-29-2008 11:30 AM

upgraded to SE1. still have same problem. I can connect to exec directly from console using local login, it is just the SSH that is broken. I enable telent on vty 0 4 and it works.

Console and Telnet login local to privilege 15

SSH login local to privilege 1, requires enable command.

0 Helpful

rsnook
Level 1
Level 1
In response to rsnook

‎09-30-2008 12:20 PM

solved the issue.

on upgrade to new IOS, the authentication method changed for SSH and my client SecureCRT was sending out a modulus of a different size. Apparently a more secure version of IOS as the older version didn't care about order and/or size.

as far as the login privilege; change login to use new aaa model.

0 Helpful
Customers Also Viewed These Support Documents