Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
831
Views
0
Helpful
5
Replies

Messed Up AAA Config on 3560g/3750g? (enable prompt)

ram
Level 1
Level 1

‎08-18-2011 12:26 PM - edited ‎03-07-2019 01:46 AM

I've banged my head against the wall long enough.  I'm asking for help with what should be a very simple question for the gurus.  I am not, obviously.  I am using local authentication and was NOT receiving an enable prompt until a recent IOS (15.0.1 SE?) upgrade.  When one of my two users login, I would like to have them dropped into enable mode - not having to type a *different* enable password.

I'll attach a config w/ the particulars x'd out.

Labels:
112141-3560g Config.txt.zip
0 Helpful
5 Replies 5

ram
Level 1
Level 1

‎08-18-2011 12:29 PM

Here are the applicable lines if you don't want to look @ the entire config:

username user1 privilege 15 secret 5 $1$uQjc$0oD5Sf9aDAQiz9wE8fuQE/
username user2 privilege 15 secret 5 $1$w45N$ZqKFwrLiTAGLBT9b7wQJg/
aa new-model
aaa authentication login default local
aaa authentication enable default enable
aaa authorization console
aaa authorization exec default local if-authenticated
aaa authorization commands 15 default local if-authenticated
aaa session-id common
0 Helpful

Collin Clark
VIP Alumni
VIP Alumni

‎08-18-2011 12:37 PM

I don't have a device in front of me for verification, but under the VTY you add "privilege level 15".

0 Helpful

ram
Level 1
Level 1
In response to Collin Clark

‎08-18-2011 12:50 PM

Wouldn't that give everyone who connects level 15 access?

Collin Clark wrote:
I don't have a device in front of me for verification, but under the VTY you add "privilege level 15".
0 Helpful

Collin Clark
VIP Alumni
VIP Alumni
In response to ram

‎08-18-2011 01:10 PM

Sure will but w/o AAA it's either all or nothing (that I've ever seen).

0 Helpful

cadet alain
VIP Alumni
VIP Alumni
In response to ram

‎08-18-2011 01:13 PM

Hi,

Robert Meredith a écrit:
 Wouldn't that give everyone who connects level 15 access?
Collin Clark wrote:
I don't have a device in front of me for verification, but under the VTY you add "privilege level 15".

Yes it will but as your users configured locally have privilege 15 it shouldn't be a problem imho.

Did you try without the authentication enable command?

gonna lab it up and tell you what.

edit: just labbed it on a 3600 router in GNS3 and with this it worked:

username user1  secret 5 $1$uQjc$0oD5Sf9aDAQiz9wE8fuQE/

username user2 privilege 15 secret 5 $1$w45N$ZqKFwrLiTAGLBT9b7wQJg/

aa new-model

aaa authentication login default local

aaa authorization console

user 1 is not in enable mode directly but user2 is.

Regards.

Alain.

Don't forget to rate helpful posts.
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card