when accessing one of our routers via vty, a user gets right into the enable mode, bypassing the user mode...here is the vty config in the router:
line vty 0 4
access-class 23 in
privilege level 15
transport input telnet
Anybody has any ideas what may be going on here?
Solved! Go to Solution.
I think you need to put login local in the config. You may want to apply it to vty 0 15 as well, in case someone screws up the lower 5 ports with some kind of DOS. There might be a quicker timeout that could be applied to the vty 15 port as well...
Also you might want an auto disconnect after some inactivity period, 60 minutes.
login local should be applied to unused ports as well. Even without a password. This ensures that no one can use the port, even if there is no password applied to the port.
Buce, Thanks for your response...What's so strange is that we have another router with exactly the same vty config (i.e. no login statement) and it's not throwing an incoming user directly into the enable mode, like this router is doing...Is there a command somewhere in the router config, besides the vty config, that may impact what mode a user is getting?
thanks...on a related subject, what makes vty to authenticate a user against a TACACS+ server as opposed to the local vty password?
It depends on how you configure AAA on the router (or switch). There are options that you can configure to have the router authenticate with TACACS, or to have it authenticate with local authentication, or to have it do both so that it attempts to authenticate with TACACS and if TACACS is not available then to do local authentication. I believe that the combination of trying TACACS and have local authentication as a fallback is the better solution.
You can set it up so that some connections (perhaps PPP connections on a remote access server) authenticate with TACACS while other connections (perhaps your vty) authenticate with local password.