I lost privilege to global config mode

While I was playing with the privilege command, I entered:

Router(config)#user john privilege 3 pass mypass

And that was the only user I set up. But it seems what I did was not only setting up just one user, but also taking away my usual level 15 privilege to do "config t" without a password. Now when I log in to the router, I can only log in as john and I only have level 3 privilege. Is there any other way for me to gain access to global config mode? Or is it time for me to reset the router?

Find more posts tagged with

SAVE $250 on Your CISCO Boot Camp — Use Code "EXAM26"

Exclusively for TechExams members for Infosec Boot Camps starting before April 30, 2026

View CISCO Boot Camps

Comments

Ismaeljrp

Did you configure an Enable secret ?

What you did should allow you to login as john with mypass
You'll be here :
Router#
But if you run the show privi, you'll see it as 3.... you don't have full privilege exec mode, try enable once you are at the Router# prompt, it'll require you to enter the enable secret if you have it...and then you are at level 15.....your users password is not equivalent to entering the enable secret..you still have to enter the enable secret if you want privlege level 15.

workfrom925

Ismaeljrp wrote: »

Did you configure an Enable secret ?

What you did should allow you to login as john with mypass
You'll be here :
Router#
But if you run the show privi, you'll see it as 3.... you don't have full privilege exec mode, try enable once you are at the Router# prompt, it'll require you to enter the enable secret if you have it...and then you are at level 15.....your users password is not equivalent to entering the enable secret..you still have to enter the enable secret if you want privlege level 15.

With your explanation, I tried it out. There is no 'enable secret'. However, I gained access to the global config mode with 'enable 15'. Now here is my next question, why does the router let a user with level-3 privilege enable level-15 privilege? It's like the security isn't secure.

---
User Access Verification

Username: john
Password:
Router#show priv
Current privilege level is 3
Router#enable ?
<0-15> Enable level
view Set into the existing view
<cr>

Router#enable 15
Router#show privi
Current privilege level is 15
Router#
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#

Ismaeljrp

The reason it allowed you to enter , enable 15 so easily is because you do not have an enable secret. If you had configured the enable secret, by entering

Router# enable 15
it will ask for the secret. If you don't have it you are denied.

When you do an enable secret, it's like you are creating a superuser at the same time, albeit a default one, with no user login credentials.

If I was an Network admin, and you my network support tier 1, I wouldn't give you the secret If I didn't want you to access level 15 privilege ( for this example ).

Point is, if you want to create new users with certain privileges make sure, make sure you create a superuser by creating the enable secret and saving the config as that superuser first. superuser = level 15 privilege user.