Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

bypassing user mode when logging in to a router

when accessing one of our routers via vty, a user gets right into the enable mode, bypassing the user mode...here is the vty config in the router:

line vty 0 4

access-class 23 in

privilege level 15

password hello

transport input telnet

Anybody has any ideas what may be going on here?

thanks...

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Bronze

Re: bypassing user mode when logging in to a router

Privilege Level 15 will give any user enable access to the router. Level 14 and below will force the user to type 'enable' and enter the enable password.

8 REPLIES
New Member

Re: bypassing user mode when logging in to a router

I think you need to put login local in the config. You may want to apply it to vty 0 15 as well, in case someone screws up the lower 5 ports with some kind of DOS. There might be a quicker timeout that could be applied to the vty 15 port as well...

Also you might want an auto disconnect after some inactivity period, 60 minutes.

exec-timeout 60

login local should be applied to unused ports as well. Even without a password. This ensures that no one can use the port, even if there is no password applied to the port.

Merry Christmas..

New Member

Re: bypassing user mode when logging in to a router

Buce, Thanks for your response...What's so strange is that we have another router with exactly the same vty config (i.e. no login statement) and it's not throwing an incoming user directly into the enable mode, like this router is doing...Is there a command somewhere in the router config, besides the vty config, that may impact what mode a user is getting?

thanks again...

Hall of Fame Super Bronze

Re: bypassing user mode when logging in to a router

Change the privilege level to a value lower than 15.

New Member

Re: bypassing user mode when logging in to a router

Thanks to both responses....

<< Change the privilege level to a value lower than 15.>>

Why is that?

New Member

Re: bypassing user mode when logging in to a router

Sorry, but one factor I omitted was that we're using TACACS+ for authentication...

Thanks again...

Hall of Fame Super Bronze

Re: bypassing user mode when logging in to a router

Privilege Level 15 will give any user enable access to the router. Level 14 and below will force the user to type 'enable' and enter the enable password.

New Member

Re: bypassing user mode when logging in to a router

thanks...on a related subject, what makes vty to authenticate a user against a TACACS+ server as opposed to the local vty password?

thanks again

Hall of Fame Super Silver

Re: bypassing user mode when logging in to a router

Greg

It depends on how you configure AAA on the router (or switch). There are options that you can configure to have the router authenticate with TACACS, or to have it authenticate with local authentication, or to have it do both so that it attempts to authenticate with TACACS and if TACACS is not available then to do local authentication. I believe that the combination of trying TACACS and have local authentication as a fallback is the better solution.

You can set it up so that some connections (perhaps PPP connections on a remote access server) authenticate with TACACS while other connections (perhaps your vty) authenticate with local password.

HTH

Rick

382
Views
0
Helpful
8
Replies