Problem setting custom Privilege levels
logicmyfoot
Member Posts: 82 ■■□□□□□□□□
Hi Guys,
I'm using PT and [mostly due to being extremely fast in configs]i am trying to practice on configuring custom privilege levels.
i am trying to setup 2 logins :
1. A level 2 [ username L2] with access to ping and secret password L2 [easy to remember
]
2. A level 15 [username L15] and secret password L15
i have also setup custom enable secret passwords for both privilege levels. The problem i am facing is after i login using the level 2 user i am in the exec mode ( # ) ,show privilege verifies level as 2 but as soon as i enter enable [R1#en] my privilege level gets changed to a privilege level 15 like that no password is required ,where am i going wrong??
below is the running config:
enable secret level 2 5 $1$mERr$aGTC1pRi8cvgFN7LKy.nF/
enable secret level 15 5 $1$mERr$YwJ4gRkfpbjzZ9sAd2Le91
!
!
!
!
username l15 privilege 15 secret 5 $1$mERr$YwJ4gRkfpbjzZ9sAd2Le91
username l2 privilege 2 secret 5 $1$mERr$1kxmPHe/3gEyP0x4P.lJV1
!
!
!
privilege exec level 2 ping
!
I'm using PT and [mostly due to being extremely fast in configs]i am trying to practice on configuring custom privilege levels.
i am trying to setup 2 logins :
1. A level 2 [ username L2] with access to ping and secret password L2 [easy to remember
]2. A level 15 [username L15] and secret password L15
i have also setup custom enable secret passwords for both privilege levels. The problem i am facing is after i login using the level 2 user i am in the exec mode ( # ) ,show privilege verifies level as 2 but as soon as i enter enable [R1#en] my privilege level gets changed to a privilege level 15 like that no password is required ,where am i going wrong??
below is the running config:
enable secret level 2 5 $1$mERr$aGTC1pRi8cvgFN7LKy.nF/
enable secret level 15 5 $1$mERr$YwJ4gRkfpbjzZ9sAd2Le91
!
!
!
!
username l15 privilege 15 secret 5 $1$mERr$YwJ4gRkfpbjzZ9sAd2Le91
username l2 privilege 2 secret 5 $1$mERr$1kxmPHe/3gEyP0x4P.lJV1
!
!
!
privilege exec level 2 ping
!
Comments
-
notgoing2fail
Member Posts: 1,138
logicmyfoot wrote: »console
i did do login local @ line con 0
What does your console config look like? I assume you have aaa new-model enabled... -
logicmyfoot
Member Posts: 82 ■■□□□□□□□□
here is the full config:
%SYS-5-CONFIG_I: Configured from console by consolewr
Building configuration...
[OK]
Router#sh run
Building configuration...
Current configuration : 746 bytes
!
version 12.2
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname Router
!
!
!
enable secret level 2 5 $1$mERr$aGTC1pRi8cvgFN7LKy.nF/
enable secret level 15 5 $1$mERr$NpNB8KR7zDCyumz2tpvb9/
!
!
!
aaa new-model
!
!
!
!
!
!
!
!
username l15 privilege 15 secret 5 $1$mERr$YwJ4gRkfpbjzZ9sAd2Le91
username l2 privilege 2 secret 5 $1$mERr$1kxmPHe/3gEyP0x4P.lJV1
!
!
!
!
!
ip name-server 0.0.0.0
!
!
!
!
!
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
shutdown
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
shutdown
!
ip classless
!
!
!
!
!
!
privilege exec level 2 ping
!
!
!
!
line con 0
login local
line vty 0 4
login
!
!
!
end
here is what happens:
Router#relo
Proceed with reload? [confirm]
%SYS-5-RELOAD: Reload requested by console. Reload Reason: Reload Command.
System Bootstrap, Version 12.1(3r)T2, RELEASE SOFTWARE (fc1)
Copyright (c) 2000 by cisco Systems, Inc.
cisco 2621 (MPC860) processor (revision 0x200) with 60416K/5120K bytes of memory
Self decompressing the image :
########################################################################## [OK]
Restricted Rights Legend
Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.
cisco Systems, Inc.
170 West Tasman Drive
San Jose, California 95134-1706
Cisco Internetwork Operating System Software
IOS (tm) C2600 Software (C2600-I-M), Version 12.2(2
, RELEASE SOFTWARE (fc5)
Technical Support: Cisco - Shortcut
Copyright (c) 1986-2005 by cisco Systems, Inc.
Compiled Wed 27-Apr-04 19:01 by miwang
cisco 2621 (MPC860) processor (revision 0x200) with 60416K/5120K bytes of memory
.
Processor board ID JAD05190MTZ (4292891495)
M860 processor: part number 0, mask 49
Bridging software.
X.25 software, Version 3.0.0.
2 FastEthernet/IEEE 802.3 interface(s)
32K bytes of non-volatile configuration memory.
63488K bytes of ATA CompactFlash (Read/Write)
Press RETURN to get started!
%LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up
%LINK-5-CHANGED: Interface FastEthernet0/1, changed state to up
%LINK-5-CHANGED: Interface FastEthernet0/0, changed state to administratively down
%LINK-5-CHANGED: Interface FastEthernet0/1, changed state to administratively down
%SYS-5-CONFIG_I: Configured from console by console
User Access Verification
Username: l2
Password:
Router>en
Router#sh pri
Current privilege level is 15
Router# -
notgoing2fail
Member Posts: 1,138
I seem to be running into the same thing myself.
Let me see what I can dig up. -
notgoing2fail
Member Posts: 1,138
Ok, I figured out your issue.
You have aaa new-model configured. If you take that out, then when you log in with your level 2 account, it will show level 2 and ping will only work.
I just tried it out myself... -
logicmyfoot
Member Posts: 82 ■■□□□□□□□□
well tbh i applied the aaa new-model when you mentioned it in your last post,
before that it was the same issue as well. My guess is PT[ packet tracer] is at fault here?? -
*BB*
Member Posts: 95 ■■□□□□□□□□
Try this and see if this does what you are looking to do:
aaa new-model
aaa authentication login default local
aaa authorization exec default local
username l15 privilege 15 secret 5 $1$mERr$YwJ4gRkfpbjzZ9sAd2Le91
username l2 privilege 2 secret 5 $1$mERr$1kxmPHe/3gEyP0x4P.lJV1
and then set what command(s) you want to based on privilege level.Procrastinator extraordinaire -
logicmyfoot
Member Posts: 82 ■■□□□□□□□□
Try this and see if this does what you are looking to do:
aaa new-model
aaa authentication login default local
aaa authorization exec default local
username l15 privilege 15 secret 5 $1$mERr$YwJ4gRkfpbjzZ9sAd2Le91
username l2 privilege 2 secret 5 $1$mERr$1kxmPHe/3gEyP0x4P.lJV1
and then set what command(s) you want to based on privilege level.
Sorry m8 still no go!
i did try my original config on GNS and it worked like a charm with out the aa new-model so i suppose Packet Tracer is at fault -
notgoing2fail
Member Posts: 1,138
Oh I didn't know this was in PT. Since it's limited, I don't think it can be reliable.
However I did run into your issue with real equipment but removing the AAA worked for me....
The other suggestion above sounds like it would work too, I'll give it a try later today as it would be nice to be able to do this with AAA enabled.... -
geezer
Member Posts: 136
Haven't had a chance to try AAA authorization but should work from what I've read. Alternatively, with "aaa new-model" one could configure Role based views.aaa new-model enable view parser view L2 secret 0 l2 commands exec include ping To use: enable view L2 ? <cr> should display ping
I used to be undecided but now I'm not so sure.
There are only 10 types of people in the world: Those who understand binary, and those who don't! -
logicmyfoot
Member Posts: 82 ■■□□□□□□□□
yes this works in packet tracer and GNS3 aswell. My original config also works well in GNS3 PT was giving me trouble
