Cisco 837 VPN User access

Posted on 2004-08-25
Last Modified: 2008-01-16
I've a Cisco 837 acting as a VPN server for two Cisco VPN client software and I would like to restric the users to have only access to VPN.
The users I create with "username test password **" have access to VPN and to the router configuration also! I need to restrict them to VPN only authentication.

Is that possible ?
Question by:diegogalletti
  • 4
  • 3
LVL 28

Expert Comment

ID: 11894076
username test privilege 0 password ***
privilege exec level 1 enable

By default you can go to enable mode from privilege level 0. but a normal login puts you at privilege level 1. The 2nd line means that users below level 1 won't have access to the "enable" command. User test will be at level 0 when they authenticate. So when the VPN users authenticate they can't do anything on the router but their traffic can still pass through.

We do this with our router-router ISDN authentication so if someone guesses the password they still won't have router privileges.

Author Comment

ID: 11929346
Thank you I tried it now but no way.
The new user are "username test privilege 0 password..." but they are able to enable with the enable password.
maybe something to change in "privilege exec level 1 enable" ??

LVL 28

Expert Comment

ID: 11932462
No, that should do it. Try telnetting to the router and logging in as user test. Type "show privilege." It shoulnd't even recognize the word "show.". Then try to get into enable mode and it should fail on that too. If you get an answer to show privilege, tell me what it says and also post your config here, minus actual passwords. If you can, just post the output of "show runn | include privilege"
Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.


Author Comment

ID: 11940935
Ok, this is a cut of config:

version 12.3
no service pad
no service timestamps debug uptime
service timestamps log datetime
service password-encryption
hostname IW-837
memory-size iomem 5
logging buffered 32000 informational
no logging console
no logging monitor
enable secret 5 ****************************
username test privilege 0 secret 5 **********************


IW-837>show privi
IW-837>show privi
Current privilege level is 1
IW-837#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
IW-837#sho pri
Current privilege level is 15

Suggestion ??
LVL 28

Accepted Solution

mikebernhardt earned 125 total points
ID: 11943812
I think it's a bug in IOS. In 12.2 mainline it works. But in IOS that has the "secret" feature enhancement for the username command- which includes your 12.3 software, the privilege level argument doesn't seem to work even if you don't use the "secret" argument. I set it both to 0 and to 2, and the router ignores it. I'm actually going to tell Cisco about it, it's definitely a bug.
LVL 28

Expert Comment

ID: 11943854
How do you usually log into the router? Do you use the username command yourself, or something else? I'm wondering if we can create a workaround...

Author Comment

ID: 11950236
the ios is 12.3(7) ! I'm able to access Cisco and update again the ios.
I use ssh to access the router.

What do you think ?

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Ghost Calls on Cisco Video Conference System 5 63
Choosing "Air Fiber" or equivalent option - between two buildings 11 64
Cisco iWAN 8 71
Understanding split up wire 10 30
New Server  was moved from behind Router R2 f0/1 to behind router R1 int f/01 and has now address But we want users still to be able to connected to it by old IP. How to do it ? We can used destination NAT (DNAT).  In DNAT…
It happens many times that access list (ACL) have to be applied to outgoing router interface in order to limit some traffic.This article is about how to test ACL from the router which is not very intuitive for everyone. Below scenario shows simple s…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now