bypassing user mode when logging in to a router

Answered Question
Dec 10th, 2007

when accessing one of our routers via vty, a user gets right into the enable mode, bypassing the user is the vty config in the router:

line vty 0 4

access-class 23 in

privilege level 15

password hello

transport input telnet

Anybody has any ideas what may be going on here?


I have this problem too.
0 votes
Correct Answer by Edison Ortiz about 9 years 1 month ago

Privilege Level 15 will give any user enable access to the router. Level 14 and below will force the user to type 'enable' and enter the enable password.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)

I think you need to put login local in the config. You may want to apply it to vty 0 15 as well, in case someone screws up the lower 5 ports with some kind of DOS. There might be a quicker timeout that could be applied to the vty 15 port as well...

Also you might want an auto disconnect after some inactivity period, 60 minutes.

exec-timeout 60

login local should be applied to unused ports as well. Even without a password. This ensures that no one can use the port, even if there is no password applied to the port.

Merry Christmas..

axfalk Mon, 12/10/2007 - 18:20

Buce, Thanks for your response...What's so strange is that we have another router with exactly the same vty config (i.e. no login statement) and it's not throwing an incoming user directly into the enable mode, like this router is doing...Is there a command somewhere in the router config, besides the vty config, that may impact what mode a user is getting?

thanks again...

axfalk Mon, 12/10/2007 - 18:14

Thanks to both responses....

<< Change the privilege level to a value lower than 15.>>

Why is that?

axfalk Mon, 12/10/2007 - 18:31

Sorry, but one factor I omitted was that we're using TACACS+ for authentication...

Thanks again...

Correct Answer
Edison Ortiz Mon, 12/10/2007 - 19:16

Privilege Level 15 will give any user enable access to the router. Level 14 and below will force the user to type 'enable' and enter the enable password.

axfalk Mon, 12/10/2007 - 19:51

thanks...on a related subject, what makes vty to authenticate a user against a TACACS+ server as opposed to the local vty password?

thanks again

Richard Burts Mon, 12/10/2007 - 20:04


It depends on how you configure AAA on the router (or switch). There are options that you can configure to have the router authenticate with TACACS, or to have it authenticate with local authentication, or to have it do both so that it attempts to authenticate with TACACS and if TACACS is not available then to do local authentication. I believe that the combination of trying TACACS and have local authentication as a fallback is the better solution.

You can set it up so that some connections (perhaps PPP connections on a remote access server) authenticate with TACACS while other connections (perhaps your vty) authenticate with local password.




This Discussion