How can I prevent logging into privilege exec mode on a Cisco Switch

Hello Cisco Experts,

I have two Cisco switches (one a 3750 and one a 3650).  If I log into the 3750, I go into user mode.  I then have to issue the "enable" command and the provide the "enable" password to get to privilege mode.  This is the way I want it to be.

On the 3650, when I log in, I go directly to privilege mode.  On this switch, I don't have to provide the "enable" password to get to privilege mode.  

I want to change the configuration on the 3650 to require me to input the "enable" password to get to privilege mode.

On both switches, I have setup a local user.  I though maybe the privilege levels may be different and thus controlled what level I logged in at, but that doesn't appear to be the case.  Below are the user setups for both switches:

3750:
username nickd privilege 15 secret 5 ********quR/Ml0Jrp8O**********.

3650:
username nickd privilege 15 secret 5 ********ZlH3/sdazSAN**********.

What configuration forces users to log in at user level?

Thanks,
Nick
LVL 1
ndalmolin_13Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Jan SpringerCommented:
Are you running aaa?

User level login is determined by the privilege level and aaa (if used).
Matt MinorTechnical Systems AnalystCommented:
If I log into the 3750, I go into user mode.  I then have to issue the "enable" command and the provide the "enable" password to get to privilege mode.  This is the way I want it to be.
Log in to global config mode on the 3650 and issue:
# enable password [thepassword]
(this is a plain-text, unencrypted password that can be viewed easily by issuing a "show run" command. )

A more appropriate method is to use the "enable secret [password]" which is at least encrypted and not viewable in plain-text in the running configuration.
AkinsdNetwork AdministratorCommented:
On the 3650, when I log in, I go directly to privilege mode.  On this switch, I don't have to provide the "enable" password to get to privilege mode.  

This means you're logging in with usernames other than the generic Cisco login, which means the login local command is configured on your switches and the account you're login in from has its privilege level set to 15

Option 1
Disable the login local feature and use the default Cisco login, then set enable password as desired

Option 2
Create another user login and specify any level except for privilege level 15

Option 3
Downgrade the privilege level of the user account you're using from level 15
ndalmolin_13Author Commented:
Akinsd,

If I downgrade the privilege level to say 10 can I still make configuration changes if I provide the enable password (I would lab this up if I had a spare switch, but I don't.  Sorry.)

Nick
AkinsdNetwork AdministratorCommented:
Yes
Use 1 instead unless you plan to customize level 10
Privilege levels 2 through 14 may be customized
They are not more different from 1 with the default setting (unless you customize them)

These links may help
http://www.techrepublic.com/blog/data-center/understand-the-levels-of-privilege-in-the-cisco-ios-104552/

https://learningnetwork.cisco.com/docs/DOC-15878

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Switches / Hubs

From novice to tech pro — start learning today.