Solved

Problem entering privilege exec from a view on Cisco router

Posted on 2010-09-16
14
971 Views
Last Modified: 2012-05-10
I have two Cisco 1812 routers with almost identical configuration. My problem is that my viewuser does not enter privilege exec mode on one of the routers, but I can't figure out why. (Router> instead of Router#)

Since I can't post my whole config, I'we copied the parts that I think is essential to my problem. As far as I can see, the following config is identical to both routers, so maybe I should pay attention to other parts of the configuration? Maybe someone have some clues?


parser view myView
 secret 5 $1$Fs7i$pfwfewaawf56ergasefw5yg....
 commands interface include my
 commands interface include included
 commands interface include commands
 commands exec include my
 commands exec include included
 commands exec include commands
!
enable secret 5 $1$0iQ1$gWVe49c485dr8Asz4WBoP1
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login vpn_auth local
aaa authorization exec default local
aaa authorization network vpn_auth local
!
username super privilege 15 secret 5 $1$kVariogjurynbqrta8erytnaerygauierh
username viewuser view myView secret 5 $1$JIheguhUIueg345alJKHg
!
access-list 102 permit ip 10.0.44.0 0.0.0.255 any
access-list 102 deny   ip any any
!
line vty 0 4
 access-class 102 in
 privilege level 15
 transport input telnet ssh
line vty 5 15
 access-class 102 in
 privilege level 15
 transport input telnet ssh
!

0
Comment
Question by:nebb-jsr
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 6
14 Comments
 
LVL 7

Expert Comment

by:GridLock137
ID: 33700303
are you able to get into one and not the other with the same user or is the user not able to access priv exec mode on both routers?
0
 
LVL 28

Expert Comment

by:bgoering
ID: 33701916
Try entering these commands on the router that isn't working

clear parser cache
parser cache
enable view myView
?

and see if the commands available are what you expect

Good Luck
0
 

Author Comment

by:nebb-jsr
ID: 33704891
bqoering: seems like you are on the right track, but your suggestion didn't work. The "parser cache" command is not available to me at all. I tried the following right after logging in:

FWVPNGW>show privilege
Currently in View Context with view 'myView'
FWVPNGW>enable view myView (just to be 100% sure)
% Already inside the view myView.
FWVPNGW>en
Password:
FWVPNGW#show privilege
Current privilege level is 15
FWVPNGW#disable
FWVPNGW>enable view SDM_EasyVPN_Remote
Password:
FWVPNGW#

and now my view behaves like it should! ..so going from myView -> prilivege 15 -> privilege 1 -> myView does the trick. This confuses me even more :/



0
Webinar June 1st - Attacking Ransomware  

The global cyberattack that corrupted hundreds of thousands of computer systems on May 12th had a face, name, & price tag that we’ve seen all too often in recent years: Ransomware. With the stakes – and costs – of a ransomware attack higher than ever, is your business prepared ?

 

Author Comment

by:nebb-jsr
ID: 33704921
oh.. cut and paste error in last post:

FWVPNGW>enable view SDM_EasyVPN_Remote

..should be..

FWVPNGW>enable view myView
0
 
LVL 28

Expert Comment

by:bgoering
ID: 33705017
Let me see if I have this right - you have full level 15 access until you disable and enable again. Then it works correctly?
0
 
LVL 28

Expert Comment

by:bgoering
ID: 33705103
I am about to leave for the day - but I found this article (http://www.ciscosystems.com/en/US/docs/ios/sec_user_services/configuration/guide/sec_role_base_cli_ps6441_TSD_Products_Configuration_Guide_Chapter.html)

Is it possible that you weren't in root view when you created your other view? If still having problems try the debug techniques from that article:

"Monitoring Views and View Users
To display debug messages for all views—root, CLI, lawful intercept, and super—use the debug parser view command in privileged EXEC mode."

Do that in one session, then open another session in which to test your view. See if you find anything interesting and post.

I will try to look back in later this evening
0
 

Author Comment

by:nebb-jsr
ID: 33707636
not sure how I created the view actually, so to be sure, I tried to remove/restore the view AND create a new one in from the root view. The problem is still there for both views. The article didn't help me, and the "debug parser view" wasn't available at all, nor from the root view or privilege 15 mode. For the record: I'm using  version 12.4(24)T (C181X-ADVIPSERVICESK9-M)

bgoering: no, I have privilege1 access, not the access defined in the view, but the router tells me i'm alredy inside the view. To make it work, I have to enable to privilege 15, disable and the enable view myView. That is ofcorse not a bad solution :)
0
 
LVL 28

Expert Comment

by:bgoering
ID: 33707742
You indicated that you have two routers. If the other router behaves correctly can you post full configs for both? Mask things like public ip addresses and cleartext passwords. Attach as a file (rather than code)

If both routers behave the same perhaps that is just how it works...
0
 

Author Comment

by:nebb-jsr
ID: 33708149
sorry, can't post full config. They are full of customer related information :/ Haven't checked the IOS version on the router that behaves correctly. Will try to check that later today.
0
 

Author Comment

by:nebb-jsr
ID: 33712108
Now I have been able to check the software version on the other router (that is behaving correctly) 12.4(15)T5 of C181X-ADVIPSERVICESK9-M image. Since I can't post the full configuration, i've been going thru the configuration again. The biggeste difference i've noticed, is that the parser view is defined at the top of the config on the router that is not behaving correctly, but at the bottom on the router that is behaving correctly.. Might this be a lead?
0
 
LVL 28

Expert Comment

by:bgoering
ID: 33712360
It might, but I wouldn't think so. I suppose you have tried deleting all the parser stuff and re-creating?
0
 

Author Comment

by:nebb-jsr
ID: 33712476
Yep. Deletion and recreate didn't help. To be sure I didn't miss anything, I also created a new parser and connected the view to a new user. Same result..
0
 
LVL 28

Accepted Solution

by:
bgoering earned 500 total points
ID: 33712735
I am officially out of ideas - anyone else?
0
 

Author Closing Comment

by:nebb-jsr
ID: 33845245
Was not able to solve my problem. Ran out of time, so I was forced to give the user full level 15 access :(
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Problem Description:   Couple of months ago we upgraded the ADSL line at our branch office from Home to Business line. The purpose of transforming the service to have static public IP’s. We were in need for public IP’s to publish our web resour…
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question