login local only getting privilege 1

Unanswered Question
May 28th, 2008

have other devices that are working just fine. but can't figure why this one will log user in, but only at privilege 1 - requires enable password. other devices will allow login directly to privilege 15. the only thing i can see is the 'enable secret' is listed on this one. if i no enable secret, i can't get past privilege 1. i know this is going to be something stupid i did... help.

below is snippet of config

c3560-advipservicesk9-mz.122-44.SE

no service password-encryption

!

enable secret 5 XXXXXX

!

username XXXXXX privilege 15 secret 5 XXXXXX

username XXXXXX privilege 15 secret 5 XXXXXX

username XXXXXX privilege 15 secret 5 XXXXXX

no aaa new-model

!

line con 0

login local

line vty 0 4

login local

transport preferred ssh

transport input ssh

line vty 5 15

no login

transport preferred ssh

transport input ssh

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Edison Ortiz Wed, 05/28/2008 - 20:04

"c3560-advipservicesk9-mz.122-44.SE"

This code has some authentication issues. I suggest going with SE1 or use the same code the other switches are running.

__

Edison.

Richard Burts Thu, 05/29/2008 - 03:21

Robert

It does not deal with your main question about authenticating to privilege level 15, but I would like to comment about something else. In your config you have this:

line vty 5 15

no login

Would I be correct in assuming that the no login was intended to keep people from logging in on these vty lines? It seems very logical that this would work for that purpose but it does not. When you configure no login all it does is allow someone to establish a session without needing any password. If you want to prevent use of these vty lines you should configure no exec (or perhaps no transport input).

HTH

Rick

rsnook Thu, 05/29/2008 - 11:30

upgraded to SE1. still have same problem. I can connect to exec directly from console using local login, it is just the SSH that is broken. I enable telent on vty 0 4 and it works.

Console and Telnet login local to privilege 15

SSH login local to privilege 1, requires enable command.

rsnook Tue, 09/30/2008 - 12:20

solved the issue.

on upgrade to new IOS, the authentication method changed for SSH and my client SecureCRT was sending out a modulus of a different size. Apparently a more secure version of IOS as the older version didn't care about order and/or size.

as far as the login privilege; change login to use new aaa model.

Actions

This Discussion