11-18-2011 09:03 AM - edited 03-07-2019 03:28 AM
I have my first 3560x running IOS 15.0(1)SE and noticed that I can no longer login to privilege mode even though my use account is setup with privilege 15. I have the exact same setup on 12.2 (53)SE2 and have no issue, so has something changed?
11-18-2011 09:13 AM
oh an to clarify I don't mean once logged in running enable or disable to move around...I mean connecting from an ssh client and starting from privilege exec mode so I don't need to enter the enable password.
11-19-2011 11:48 AM
Dear Justin,
to have privilege level 15 permissions granted instantly after ssh login you need to add the following line to your
line cfg:
conf t
line vty 0 4
privilege level 15
end
wr
copy run start
In general it is a good course of action _NOT_ to enbale the SSH access on standard port 22 on your Cisco box as it is
a permanent invitation for those wrong doings who seem to have more spare time than maybe you and I have.....
so how to enable SSH access on a different port from regular standard port 22?
let's say you wish to have your box ssh'd involving port 3210.
conf t
access-list 123 REMARK deny ssh access on std port 22 on line vty 0 4
access-list 123 deny tcp any eq 22 any
ip ssh port 3210 rotary 1
line vty 0 4
rotary 1
access-class 123 in
exit
wr
copy run start
we first define an extended access list in which we prevent any ssh access on standard port 22,
at this time the access-list has no impact yet to the system at all.
we then turn an eye to the non-standard ssh - port 3210, rotary cmd lets you basically define a kind of
port cycling. declaring only the first one binds it to the given port, but that's not all yet.
finally we assign our just to 1 port limited "port-cycle" under line vty 0 4 and bring then access-list 123
into play what only affects ssh access on the given line.
I hope you find the above helpful.
All the best,
David.
11-21-2011 08:54 AM
although your solutions works as a workaround.....it poses a higher security risk. If you add privilege level 15 to your line vty 0 4 config, then even users with privilege level 1 are logged into pri exec mode. I don't want this naturally...I only want users with privilege level 15 defined to be logged into pri exec mode.....I think there is a bug in this code.
11-24-2011 07:42 AM
if anyone else is interested, apparently this is a bug and will be fixed in the next release of code.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: