12-10-2007 03:49 PM - edited 03-05-2019 07:55 PM
when accessing one of our routers via vty, a user gets right into the enable mode, bypassing the user mode...here is the vty config in the router:
line vty 0 4
access-class 23 in
privilege level 15
password hello
transport input telnet
Anybody has any ideas what may be going on here?
thanks...
Solved! Go to Solution.
12-10-2007 07:16 PM
Privilege Level 15 will give any user enable access to the router. Level 14 and below will force the user to type 'enable' and enter the enable password.
12-10-2007 04:42 PM
I think you need to put login local in the config. You may want to apply it to vty 0 15 as well, in case someone screws up the lower 5 ports with some kind of DOS. There might be a quicker timeout that could be applied to the vty 15 port as well...
Also you might want an auto disconnect after some inactivity period, 60 minutes.
exec-timeout 60
login local should be applied to unused ports as well. Even without a password. This ensures that no one can use the port, even if there is no password applied to the port.
Merry Christmas..
12-10-2007 06:20 PM
Buce, Thanks for your response...What's so strange is that we have another router with exactly the same vty config (i.e. no login statement) and it's not throwing an incoming user directly into the enable mode, like this router is doing...Is there a command somewhere in the router config, besides the vty config, that may impact what mode a user is getting?
thanks again...
12-10-2007 04:45 PM
Change the privilege level to a value lower than 15.
12-10-2007 06:14 PM
Thanks to both responses....
<< Change the privilege level to a value lower than 15.>>
Why is that?
12-10-2007 06:31 PM
Sorry, but one factor I omitted was that we're using TACACS+ for authentication...
Thanks again...
12-10-2007 07:16 PM
Privilege Level 15 will give any user enable access to the router. Level 14 and below will force the user to type 'enable' and enter the enable password.
12-10-2007 07:51 PM
thanks...on a related subject, what makes vty to authenticate a user against a TACACS+ server as opposed to the local vty password?
thanks again
12-10-2007 08:04 PM
Greg
It depends on how you configure AAA on the router (or switch). There are options that you can configure to have the router authenticate with TACACS, or to have it authenticate with local authentication, or to have it do both so that it attempts to authenticate with TACACS and if TACACS is not available then to do local authentication. I believe that the combination of trying TACACS and have local authentication as a fallback is the better solution.
You can set it up so that some connections (perhaps PPP connections on a remote access server) authenticate with TACACS while other connections (perhaps your vty) authenticate with local password.
HTH
Rick
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: