I lost privilege to global config mode

workfrom925workfrom925 Member Posts: 196
in CCNA & CCENT
While I was playing with the privilege command, I entered:

Router(config)#user john privilege 3 pass mypass

And that was the only user I set up. But it seems what I did was not only setting up just one user, but also taking away my usual level 15 privilege to do "config t" without a password. Now when I log in to the router, I can only log in as john and I only have level 3 privilege. Is there any other way for me to gain access to global config mode? Or is it time for me to reset the router?
· Share on FacebookShare on Twitter

Comments

  • IsmaeljrpIsmaeljrp Member Posts: 480 ■■■□□□□□□□
    Did you configure an Enable secret ?

    What you did should allow you to login as john with mypass
    You'll be here :
    Router#
    But if you run the show privi, you'll see it as 3.... you don't have full privilege exec mode, try enable once you are at the Router# prompt, it'll require you to enter the enable secret if you have it...and then you are at level 15.....your users password is not equivalent to entering the enable secret..you still have to enter the enable secret if you want privlege level 15.
    · Share on FacebookShare on Twitter
  • workfrom925workfrom925 Member Posts: 196
    Ismaeljrp wrote: »
    Did you configure an Enable secret ?

    What you did should allow you to login as john with mypass
    You'll be here :
    Router#
    But if you run the show privi, you'll see it as 3.... you don't have full privilege exec mode, try enable once you are at the Router# prompt, it'll require you to enter the enable secret if you have it...and then you are at level 15.....your users password is not equivalent to entering the enable secret..you still have to enter the enable secret if you want privlege level 15.


    With your explanation, I tried it out. There is no 'enable secret'. However, I gained access to the global config mode with 'enable 15'. Now here is my next question, why does the router let a user with level-3 privilege enable level-15 privilege? It's like the security isn't secure.

    ---
    User Access Verification

    Username: john
    Password:
    Router#show priv
    Current privilege level is 3
    Router#enable ?
    <0-15> Enable level
    view Set into the existing view
    <cr>

    Router#enable 15
    Router#show privi
    Current privilege level is 15
    Router#
    Router#conf t
    Enter configuration commands, one per line. End with CNTL/Z.
    Router(config)#
    · Share on FacebookShare on Twitter
  • IsmaeljrpIsmaeljrp Member Posts: 480 ■■■□□□□□□□
    The reason it allowed you to enter , enable 15 so easily is because you do not have an enable secret. If you had configured the enable secret, by entering

    Router# enable 15
    it will ask for the secret. If you don't have it you are denied.

    When you do an enable secret, it's like you are creating a superuser at the same time, albeit a default one, with no user login credentials.

    If I was an Network admin, and you my network support tier 1, I wouldn't give you the secret If I didn't want you to access level 15 privilege ( for this example ).

    Point is, if you want to create new users with certain privileges make sure, make sure you create a superuser by creating the enable secret and saving the config as that superuser first. superuser = level 15 privilege user.
    · Share on FacebookShare on Twitter
Sign In or Register to comment.