Problem entering privilege exec from a view on Cisco router

I have two Cisco 1812 routers with almost identical configuration. My problem is that my viewuser does not enter privilege exec mode on one of the routers, but I can't figure out why. (Router> instead of Router#)

Since I can't post my whole config, I'we copied the parts that I think is essential to my problem. As far as I can see, the following config is identical to both routers, so maybe I should pay attention to other parts of the configuration? Maybe someone have some clues?


parser view myView
 secret 5 $1$Fs7i$pfwfewaawf56ergasefw5yg....
 commands interface include my
 commands interface include included
 commands interface include commands
 commands exec include my
 commands exec include included
 commands exec include commands
!
enable secret 5 $1$0iQ1$gWVe49c485dr8Asz4WBoP1
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login vpn_auth local
aaa authorization exec default local
aaa authorization network vpn_auth local
!
username super privilege 15 secret 5 $1$kVariogjurynbqrta8erytnaerygauierh
username viewuser view myView secret 5 $1$JIheguhUIueg345alJKHg
!
access-list 102 permit ip 10.0.44.0 0.0.0.255 any
access-list 102 deny   ip any any
!
line vty 0 4
 access-class 102 in
 privilege level 15
 transport input telnet ssh
line vty 5 15
 access-class 102 in
 privilege level 15
 transport input telnet ssh
!

nebb-jsrAsked:
Who is Participating?
 
bgoeringCommented:
I am officially out of ideas - anyone else?
0
 
GridLock137Commented:
are you able to get into one and not the other with the same user or is the user not able to access priv exec mode on both routers?
0
 
bgoeringCommented:
Try entering these commands on the router that isn't working

clear parser cache
parser cache
enable view myView
?

and see if the commands available are what you expect

Good Luck
0
WEBINAR: 10 Easy Ways to Lose a Password

Join us on June 27th at 8 am PDT to learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees. We'll cover the importance of multi-factor authentication and how these solutions can better protect your business!

 
nebb-jsrAuthor Commented:
bqoering: seems like you are on the right track, but your suggestion didn't work. The "parser cache" command is not available to me at all. I tried the following right after logging in:

FWVPNGW>show privilege
Currently in View Context with view 'myView'
FWVPNGW>enable view myView (just to be 100% sure)
% Already inside the view myView.
FWVPNGW>en
Password:
FWVPNGW#show privilege
Current privilege level is 15
FWVPNGW#disable
FWVPNGW>enable view SDM_EasyVPN_Remote
Password:
FWVPNGW#

and now my view behaves like it should! ..so going from myView -> prilivege 15 -> privilege 1 -> myView does the trick. This confuses me even more :/



0
 
nebb-jsrAuthor Commented:
oh.. cut and paste error in last post:

FWVPNGW>enable view SDM_EasyVPN_Remote

..should be..

FWVPNGW>enable view myView
0
 
bgoeringCommented:
Let me see if I have this right - you have full level 15 access until you disable and enable again. Then it works correctly?
0
 
bgoeringCommented:
I am about to leave for the day - but I found this article (http://www.ciscosystems.com/en/US/docs/ios/sec_user_services/configuration/guide/sec_role_base_cli_ps6441_TSD_Products_Configuration_Guide_Chapter.html)

Is it possible that you weren't in root view when you created your other view? If still having problems try the debug techniques from that article:

"Monitoring Views and View Users
To display debug messages for all views—root, CLI, lawful intercept, and super—use the debug parser view command in privileged EXEC mode."

Do that in one session, then open another session in which to test your view. See if you find anything interesting and post.

I will try to look back in later this evening
0
 
nebb-jsrAuthor Commented:
not sure how I created the view actually, so to be sure, I tried to remove/restore the view AND create a new one in from the root view. The problem is still there for both views. The article didn't help me, and the "debug parser view" wasn't available at all, nor from the root view or privilege 15 mode. For the record: I'm using  version 12.4(24)T (C181X-ADVIPSERVICESK9-M)

bgoering: no, I have privilege1 access, not the access defined in the view, but the router tells me i'm alredy inside the view. To make it work, I have to enable to privilege 15, disable and the enable view myView. That is ofcorse not a bad solution :)
0
 
bgoeringCommented:
You indicated that you have two routers. If the other router behaves correctly can you post full configs for both? Mask things like public ip addresses and cleartext passwords. Attach as a file (rather than code)

If both routers behave the same perhaps that is just how it works...
0
 
nebb-jsrAuthor Commented:
sorry, can't post full config. They are full of customer related information :/ Haven't checked the IOS version on the router that behaves correctly. Will try to check that later today.
0
 
nebb-jsrAuthor Commented:
Now I have been able to check the software version on the other router (that is behaving correctly) 12.4(15)T5 of C181X-ADVIPSERVICESK9-M image. Since I can't post the full configuration, i've been going thru the configuration again. The biggeste difference i've noticed, is that the parser view is defined at the top of the config on the router that is not behaving correctly, but at the bottom on the router that is behaving correctly.. Might this be a lead?
0
 
bgoeringCommented:
It might, but I wouldn't think so. I suppose you have tried deleting all the parser stuff and re-creating?
0
 
nebb-jsrAuthor Commented:
Yep. Deletion and recreate didn't help. To be sure I didn't miss anything, I also created a new parser and connected the view to a new user. Same result..
0
 
nebb-jsrAuthor Commented:
Was not able to solve my problem. Ran out of time, so I was forced to give the user full level 15 access :(
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.