USERNAME WITH PRIVILEGE 15

Unanswered Question
Jan 14th, 2011

Hello Dear's,

I have created a user with command username cisco privilege 15 password cisco when he telnet to the switch he is asked for the enable secret passwrd why??????

Thanks

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
lgijssel Fri, 01/14/2011 - 10:08

Hello Estela,

Can you please post a capture of the login dialog?

It would help to see where exactly this situation occurs.

Please also provide the config lines involved and the platform on which you are having this issue.

(pix/asa, router or switch) eventually including version info.

regards,

Leo

lgijssel Fri, 01/14/2011 - 11:10

The attachment is in queued state and cannot be opened.

Still I think you may be missing some aaa config lines.

Can you fix or retry the attachment?

regards

Leo

Nagaraja Thanthry Fri, 01/14/2011 - 10:55

Hello,

By default the VTY lines have a privilege level of "0". Please try the following:

line vty 0 4

privilege level 15

exit

Now, if you login, you should be able to get directly into the enable mode.

Hope this helps.

Regards,

NT

estelamathew Fri, 01/14/2011 - 11:02

Hello,

This will allow everybody in privilege 15???? I don't want everybody to access on level 15 i have certain users on different privilege levels

Thanks

dancicioiu Fri, 01/14/2011 - 11:07

do you have any "aaa" configuration on the switch ? or just using login local under the line vty?

Can you try to paste here the line configuration , it seams that there is a problem with attached config.

Dan

Nagaraja Thanthry Fri, 01/14/2011 - 11:12

Hello,

The user privilege takes precedence over the line privilege. So, if the user has a lower privilege level, that should override the line privilege.

Hope this helps.

Regards,

NT

dancicioiu Fri, 01/14/2011 - 11:18

Yes , but if it has aaa authorization , it is normal to check the enable even if there is any default privilege.

Dan

estelamathew Fri, 01/14/2011 - 11:28

Hello,

NO user level does'nt take precedence i tried just now, It put user level 2 also in level 15.

There is no AAA,it is local authentication.

line con 0
line vty 0 4
access-class YOU_ME in
exec-timeout 5 0
password 7 08364D5D1D1C1216060E1E25
login local
transport input ssh
line vty 5 15
exec-timeout 5 0
no login
transport input ssh

lgijssel Fri, 01/14/2011 - 11:55

Local authentication is one thing but assigning a privilege level falls under authorization.

Please check this link on aaa, I hope this will enable you to configure a solution.

http://www.cisco.com/en/US/docs/security/asdm/6_2/user/guide/aaasetup.html#wp1284305

It should be something like:

aaa new-model
aaa authentication login default group radius local
aaa authorization exec default group radius local

but then without the radius stuff.

regards,

Leo

dancicioiu Fri, 01/14/2011 - 11:59

Hi Leo ,

Here it is :

Router#sh run | i aaa
no aaa new-model
Router#
Router#
Router#sh run | b line
line con 0
login local
line aux 0
line vty 0 4
!
!
end

Router#sh run | i user
username c privilege 15 secret 5 $1$k/W8$yvjhRXM7TQDaRhQGLanSR1
Router#

Router#exi

Router con0 is now available

Press RETURN to get started.

User Access Verification

Username: c
Password:
Router#sh priv
Current privilege level is 15
Router#

Dan

estelamathew Fri, 01/14/2011 - 12:08

Hello Leo,

It can be done without AAA also,

I have 1 switch in my network in which i m accessing directly in privilege (#) mode.

Thanks

lgijssel Fri, 01/14/2011 - 13:18

It can be done without an AAA-server but you need something similar to the few lines proposed to make it work with local authentication/authorization. This is because you normally login to level1 and then need the additional enable pw to go to level 15. You want to modify the default behavior and this requires additional config.

regards,

Leo

Cadet Alain Fri, 01/14/2011 - 14:55

Hi Leo,

It can be done without an AAA-server but you need something similar to the few lines proposed to make it work with local authentication/authorization

I already did it like the OP without any problem but on some platforms/ IOS it didn't work so it can be done without AAA

Regards.

Alain.

estelamathew Mon, 01/17/2011 - 10:25

Hello Experts

what can be the issue,i m hitting may be IOS issues if i upgrade it will help me ????

Thanks.

dancicioiu Mon, 01/17/2011 - 10:39

Hi Mathew,

I would try a IOS upgrade.

What IOS/hardware are you using ?

Dan

lgijssel Mon, 01/17/2011 - 10:42

Did you try it like this:

sw-test(config)#
sw-test(config)#user emgi privilege 15 password cisco
sw-test(config)#
sw-test(config)#lin vty 0 4
sw-test(config-line)#login ?
  local   Local password checking
  tacacs  Use tacacs server for password checking
 

sw-test(config-line)#login local
sw-test(config-line)#^Z


User Access Verification

Username: emgi
Password:
sw-test#sh priv
Current privilege level is 15
sw-test#

System image file is "flash:c2950-i6q4l2-mz.121-22.EA2.bin" (Ancient!)

estelamathew Thu, 01/20/2011 - 11:00

Hello,

I have a switch model Cisco Catalyst 3550 48 SMI Switch i have uploaded 12.2.44.SE(6) ED the latest uptill date,  The switch model number is 3550 48 SMI and i have uploaded the IOS 12.2.44.SE(6) EMI The software is uploaded successfully with no errors but still i have same issue,Is it the switch is supported with the above software How i will come to know.

The  Feature Navigator shows me the image as in the attached, but the image is too old,Can anybody confirm me the image ihave installed is perfect.

Thanks

,

FIDLAFIDLA Thu, 01/20/2011 - 23:37

Hi Estela,

ok... I don't have this particular device but why not try least painful way. If it doesn't break your security policy why not enable aaa like this:

aaa new-model

aaa authentication login VTYLOGIN local

aaa authorization exec VTYLOGIN local

line vty 0 4

login authentication VTYLOGIN

authorization VTYLOGIN

It will solve your problem, OK it doesn't solve original issue... but it will work and you will not see any diference

Tomas

ebarticel Thu, 01/20/2011 - 18:28

Hi,

I think you should add "login local" in vty line config mode.

login local it will point to the username you created

Also when you create the username with level 15 you have to user "secret" instead of password, because you know that when you have configured "enable password" and "enable secret" , the enable secret will be used.

Because you have enable secret configured on the switch/router, it will always ask for the "enable secret".

Eugen

estelamathew Thu, 01/20/2011 - 22:05

I have login local enable also after upgrading to latest new IOS the issue is same i have been asked for the enable secret for the privilege 15 user.

Thanks

ebarticel Fri, 01/21/2011 - 21:10

Hi estela,

Try this commands if you still have the problem:

S(config)#username TELNET priviledge 15 secret cisco

S(config)#line vty 0 15

S(config-line)#login local

S(config-line)#priviledge level 15

S(config-line)#end

Hope this will help

Eugen

Actions

Login or Register to take actions

This Discussion

Posted January 14, 2011 at 8:22 AM
Stats:
Replies:22 Avg. Rating:
Views:4048 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard