Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1992
Views
15
Helpful
5
Replies

username privilege 15 (no aaa) without enable secret?

Go to solution
Rogier
Level 1
Level 1

‎03-20-2018 03:35 AM - edited ‎03-08-2019 02:19 PM

Hi all,

I have some Cisco switches (C3560 Software C3560-IPBASE-M, Version 12.2(35)SE5).

On this I have configured a username with secret and privilege level 15.

Global is set to: "no aaa new-model".

On the console port and all vty ports I have set "login local".

 

Since I allways have to login with username, and this takes me to privilege level 15, my assumption is that I do not have to set an enable secret. Is this correct or do I still need to set "enable secret"?

 

Does it make a difference if I change to "aaa new model" and use global command "aaa authentication login default local" and set "loginauthentication default"to all lines (con + vty)?

 

Thanks a lot!

Rogier

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Dennis Mink
VIP Alumni
VIP Alumni

‎03-20-2018 03:51 AM

priv 15 will let you into enable mode without addition enable secret.

 

if you have no intention to use aaa, leave the service off. 

Please remember to rate useful posts, by clicking on the stars below.

View solution in original post

Go to solution
Reza Sharifi
Hall of Fame
Hall of Fame
In response to Rogier

‎03-20-2018 07:28 AM

Don't mess with AAA if you don't use it.

As for security risk, as long as your password is long and complicated enough, your security team should be ok with not having the "enable secret" command.

HTH

View solution in original post

5 Replies 5

Go to solution
Dennis Mink
VIP Alumni
VIP Alumni

‎03-20-2018 03:51 AM

priv 15 will let you into enable mode without addition enable secret.

 

if you have no intention to use aaa, leave the service off. 

Please remember to rate useful posts, by clicking on the stars below.

Go to solution
Rogier
Level 1
Level 1
In response to Dennis Mink

‎03-20-2018 04:52 AM

Thanks for your reply.

Just to make sure: there is no risk of locking myself out in this scenario? And the lack of "enable secret" does not pose a security risk in this scenario?

0 Helpful

Go to solution
Reza Sharifi
Hall of Fame
Hall of Fame
In response to Rogier

‎03-20-2018 07:28 AM

Don't mess with AAA if you don't use it.

As for security risk, as long as your password is long and complicated enough, your security team should be ok with not having the "enable secret" command.

HTH

Go to solution
Rogier
Level 1
Level 1
In response to Reza Sharifi

‎03-20-2018 07:40 AM

Thanks a lot. Not using aaa, just want username + secret for all access!

So, username + secret in combination with "login local" should be fine for me.

0 Helpful

Go to solution
Reza Sharifi
Hall of Fame
Hall of Fame
In response to Rogier

‎03-20-2018 08:29 AM

Yes, that should do it. 

Good Luck!

Customers Also Viewed These Support Documents