Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Problem entering privilege exec from a view on Cisco router

Posted on 2010-09-16
14
Medium Priority
?
1,016 Views
Last Modified: 2012-05-10
I have two Cisco 1812 routers with almost identical configuration. My problem is that my viewuser does not enter privilege exec mode on one of the routers, but I can't figure out why. (Router> instead of Router#)

Since I can't post my whole config, I'we copied the parts that I think is essential to my problem. As far as I can see, the following config is identical to both routers, so maybe I should pay attention to other parts of the configuration? Maybe someone have some clues?


parser view myView
 secret 5 $1$Fs7i$pfwfewaawf56ergasefw5yg....
 commands interface include my
 commands interface include included
 commands interface include commands
 commands exec include my
 commands exec include included
 commands exec include commands
!
enable secret 5 $1$0iQ1$gWVe49c485dr8Asz4WBoP1
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login vpn_auth local
aaa authorization exec default local
aaa authorization network vpn_auth local
!
username super privilege 15 secret 5 $1$kVariogjurynbqrta8erytnaerygauierh
username viewuser view myView secret 5 $1$JIheguhUIueg345alJKHg
!
access-list 102 permit ip 10.0.44.0 0.0.0.255 any
access-list 102 deny   ip any any
!
line vty 0 4
 access-class 102 in
 privilege level 15
 transport input telnet ssh
line vty 5 15
 access-class 102 in
 privilege level 15
 transport input telnet ssh
!

0
Comment
Question by:nebb-jsr
  • 7
  • 6
14 Comments
 
LVL 7

Expert Comment

by:GridLock137
ID: 33700303
are you able to get into one and not the other with the same user or is the user not able to access priv exec mode on both routers?
0
 
LVL 28

Expert Comment

by:bgoering
ID: 33701916
Try entering these commands on the router that isn't working

clear parser cache
parser cache
enable view myView
?

and see if the commands available are what you expect

Good Luck
0
 

Author Comment

by:nebb-jsr
ID: 33704891
bqoering: seems like you are on the right track, but your suggestion didn't work. The "parser cache" command is not available to me at all. I tried the following right after logging in:

FWVPNGW>show privilege
Currently in View Context with view 'myView'
FWVPNGW>enable view myView (just to be 100% sure)
% Already inside the view myView.
FWVPNGW>en
Password:
FWVPNGW#show privilege
Current privilege level is 15
FWVPNGW#disable
FWVPNGW>enable view SDM_EasyVPN_Remote
Password:
FWVPNGW#

and now my view behaves like it should! ..so going from myView -> prilivege 15 -> privilege 1 -> myView does the trick. This confuses me even more :/



0
Fill in the form and get your FREE NFR key NOW!

Veeam is happy to provide a FREE NFR server license to certified engineers, trainers, and bloggers.  It allows for the non‑production use of Veeam Agent for Microsoft Windows. This license is valid for five workstations and two servers.

 

Author Comment

by:nebb-jsr
ID: 33704921
oh.. cut and paste error in last post:

FWVPNGW>enable view SDM_EasyVPN_Remote

..should be..

FWVPNGW>enable view myView
0
 
LVL 28

Expert Comment

by:bgoering
ID: 33705017
Let me see if I have this right - you have full level 15 access until you disable and enable again. Then it works correctly?
0
 
LVL 28

Expert Comment

by:bgoering
ID: 33705103
I am about to leave for the day - but I found this article (http://www.ciscosystems.com/en/US/docs/ios/sec_user_services/configuration/guide/sec_role_base_cli_ps6441_TSD_Products_Configuration_Guide_Chapter.html)

Is it possible that you weren't in root view when you created your other view? If still having problems try the debug techniques from that article:

"Monitoring Views and View Users
To display debug messages for all views—root, CLI, lawful intercept, and super—use the debug parser view command in privileged EXEC mode."

Do that in one session, then open another session in which to test your view. See if you find anything interesting and post.

I will try to look back in later this evening
0
 

Author Comment

by:nebb-jsr
ID: 33707636
not sure how I created the view actually, so to be sure, I tried to remove/restore the view AND create a new one in from the root view. The problem is still there for both views. The article didn't help me, and the "debug parser view" wasn't available at all, nor from the root view or privilege 15 mode. For the record: I'm using  version 12.4(24)T (C181X-ADVIPSERVICESK9-M)

bgoering: no, I have privilege1 access, not the access defined in the view, but the router tells me i'm alredy inside the view. To make it work, I have to enable to privilege 15, disable and the enable view myView. That is ofcorse not a bad solution :)
0
 
LVL 28

Expert Comment

by:bgoering
ID: 33707742
You indicated that you have two routers. If the other router behaves correctly can you post full configs for both? Mask things like public ip addresses and cleartext passwords. Attach as a file (rather than code)

If both routers behave the same perhaps that is just how it works...
0
 

Author Comment

by:nebb-jsr
ID: 33708149
sorry, can't post full config. They are full of customer related information :/ Haven't checked the IOS version on the router that behaves correctly. Will try to check that later today.
0
 

Author Comment

by:nebb-jsr
ID: 33712108
Now I have been able to check the software version on the other router (that is behaving correctly) 12.4(15)T5 of C181X-ADVIPSERVICESK9-M image. Since I can't post the full configuration, i've been going thru the configuration again. The biggeste difference i've noticed, is that the parser view is defined at the top of the config on the router that is not behaving correctly, but at the bottom on the router that is behaving correctly.. Might this be a lead?
0
 
LVL 28

Expert Comment

by:bgoering
ID: 33712360
It might, but I wouldn't think so. I suppose you have tried deleting all the parser stuff and re-creating?
0
 

Author Comment

by:nebb-jsr
ID: 33712476
Yep. Deletion and recreate didn't help. To be sure I didn't miss anything, I also created a new parser and connected the view to a new user. Same result..
0
 
LVL 28

Accepted Solution

by:
bgoering earned 2000 total points
ID: 33712735
I am officially out of ideas - anyone else?
0
 

Author Closing Comment

by:nebb-jsr
ID: 33845245
Was not able to solve my problem. Ran out of time, so I was forced to give the user full level 15 access :(
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…

877 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question