Solved

Problem entering privilege exec from a view on Cisco router

Posted on 2010-09-16
14
922 Views
Last Modified: 2012-05-10
I have two Cisco 1812 routers with almost identical configuration. My problem is that my viewuser does not enter privilege exec mode on one of the routers, but I can't figure out why. (Router> instead of Router#)

Since I can't post my whole config, I'we copied the parts that I think is essential to my problem. As far as I can see, the following config is identical to both routers, so maybe I should pay attention to other parts of the configuration? Maybe someone have some clues?


parser view myView
 secret 5 $1$Fs7i$pfwfewaawf56ergasefw5yg....
 commands interface include my
 commands interface include included
 commands interface include commands
 commands exec include my
 commands exec include included
 commands exec include commands
!
enable secret 5 $1$0iQ1$gWVe49c485dr8Asz4WBoP1
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login vpn_auth local
aaa authorization exec default local
aaa authorization network vpn_auth local
!
username super privilege 15 secret 5 $1$kVariogjurynbqrta8erytnaerygauierh
username viewuser view myView secret 5 $1$JIheguhUIueg345alJKHg
!
access-list 102 permit ip 10.0.44.0 0.0.0.255 any
access-list 102 deny   ip any any
!
line vty 0 4
 access-class 102 in
 privilege level 15
 transport input telnet ssh
line vty 5 15
 access-class 102 in
 privilege level 15
 transport input telnet ssh
!

0
Comment
Question by:nebb-jsr
  • 7
  • 6
14 Comments
 
LVL 7

Expert Comment

by:GridLock137
ID: 33700303
are you able to get into one and not the other with the same user or is the user not able to access priv exec mode on both routers?
0
 
LVL 28

Expert Comment

by:bgoering
ID: 33701916
Try entering these commands on the router that isn't working

clear parser cache
parser cache
enable view myView
?

and see if the commands available are what you expect

Good Luck
0
 

Author Comment

by:nebb-jsr
ID: 33704891
bqoering: seems like you are on the right track, but your suggestion didn't work. The "parser cache" command is not available to me at all. I tried the following right after logging in:

FWVPNGW>show privilege
Currently in View Context with view 'myView'
FWVPNGW>enable view myView (just to be 100% sure)
% Already inside the view myView.
FWVPNGW>en
Password:
FWVPNGW#show privilege
Current privilege level is 15
FWVPNGW#disable
FWVPNGW>enable view SDM_EasyVPN_Remote
Password:
FWVPNGW#

and now my view behaves like it should! ..so going from myView -> prilivege 15 -> privilege 1 -> myView does the trick. This confuses me even more :/



0
 

Author Comment

by:nebb-jsr
ID: 33704921
oh.. cut and paste error in last post:

FWVPNGW>enable view SDM_EasyVPN_Remote

..should be..

FWVPNGW>enable view myView
0
 
LVL 28

Expert Comment

by:bgoering
ID: 33705017
Let me see if I have this right - you have full level 15 access until you disable and enable again. Then it works correctly?
0
 
LVL 28

Expert Comment

by:bgoering
ID: 33705103
I am about to leave for the day - but I found this article (http://www.ciscosystems.com/en/US/docs/ios/sec_user_services/configuration/guide/sec_role_base_cli_ps6441_TSD_Products_Configuration_Guide_Chapter.html)

Is it possible that you weren't in root view when you created your other view? If still having problems try the debug techniques from that article:

"Monitoring Views and View Users
To display debug messages for all views—root, CLI, lawful intercept, and super—use the debug parser view command in privileged EXEC mode."

Do that in one session, then open another session in which to test your view. See if you find anything interesting and post.

I will try to look back in later this evening
0
 

Author Comment

by:nebb-jsr
ID: 33707636
not sure how I created the view actually, so to be sure, I tried to remove/restore the view AND create a new one in from the root view. The problem is still there for both views. The article didn't help me, and the "debug parser view" wasn't available at all, nor from the root view or privilege 15 mode. For the record: I'm using  version 12.4(24)T (C181X-ADVIPSERVICESK9-M)

bgoering: no, I have privilege1 access, not the access defined in the view, but the router tells me i'm alredy inside the view. To make it work, I have to enable to privilege 15, disable and the enable view myView. That is ofcorse not a bad solution :)
0
Free camera licenses with purchase of My Cloud NAS

Milestone Arcus software is compatible with thousands of industry-leading cameras for added flexibility. Upon installation on your My Cloud NAS, you will receive two (2) camera licenses already enabled in the software. And for a limited time, get additional camera licenses FREE.

 
LVL 28

Expert Comment

by:bgoering
ID: 33707742
You indicated that you have two routers. If the other router behaves correctly can you post full configs for both? Mask things like public ip addresses and cleartext passwords. Attach as a file (rather than code)

If both routers behave the same perhaps that is just how it works...
0
 

Author Comment

by:nebb-jsr
ID: 33708149
sorry, can't post full config. They are full of customer related information :/ Haven't checked the IOS version on the router that behaves correctly. Will try to check that later today.
0
 

Author Comment

by:nebb-jsr
ID: 33712108
Now I have been able to check the software version on the other router (that is behaving correctly) 12.4(15)T5 of C181X-ADVIPSERVICESK9-M image. Since I can't post the full configuration, i've been going thru the configuration again. The biggeste difference i've noticed, is that the parser view is defined at the top of the config on the router that is not behaving correctly, but at the bottom on the router that is behaving correctly.. Might this be a lead?
0
 
LVL 28

Expert Comment

by:bgoering
ID: 33712360
It might, but I wouldn't think so. I suppose you have tried deleting all the parser stuff and re-creating?
0
 

Author Comment

by:nebb-jsr
ID: 33712476
Yep. Deletion and recreate didn't help. To be sure I didn't miss anything, I also created a new parser and connected the view to a new user. Same result..
0
 
LVL 28

Accepted Solution

by:
bgoering earned 500 total points
ID: 33712735
I am officially out of ideas - anyone else?
0
 

Author Closing Comment

by:nebb-jsr
ID: 33845245
Was not able to solve my problem. Ran out of time, so I was forced to give the user full level 15 access :(
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

The Cisco RV042 router is a popular small network interfacing device that is often used as an internet gateway. Network administrators need to get at the management interface to make settings, change passwords, etc. This access is generally done usi…
Hi All,  Recently I have installed and configured a Sonicwall NS220 in the network as a firewall and Internet access gateway. All was working fine until users started reporting that they cannot use the Cisco VPN client to connect to the customer'…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now