How can I prevent logging into privilege exec mode on a Cisco Switch
Hello Cisco Experts,
I have two Cisco switches (one a 3750 and one a 3650). If I log into the 3750, I go into user mode. I then have to issue the "enable" command and the provide the "enable" password to get to privilege mode. This is the way I want it to be.
On the 3650, when I log in, I go directly to privilege mode. On this switch, I don't have to provide the "enable" password to get to privilege mode.
I want to change the configuration on the 3650 to require me to input the "enable" password to get to privilege mode.
On both switches, I have setup a local user. I though maybe the privilege levels may be different and thus controlled what level I logged in at, but that doesn't appear to be the case. Below are the user setups for both switches:
3750:
username nickd privilege 15 secret 5 ********quR/Ml0Jrp8O******
3650:
username nickd privilege 15 secret 5 ********ZlH3/sdazSAN******
What configuration forces users to log in at user level?
Thanks,
Nick
I have two Cisco switches (one a 3750 and one a 3650). If I log into the 3750, I go into user mode. I then have to issue the "enable" command and the provide the "enable" password to get to privilege mode. This is the way I want it to be.
On the 3650, when I log in, I go directly to privilege mode. On this switch, I don't have to provide the "enable" password to get to privilege mode.
I want to change the configuration on the 3650 to require me to input the "enable" password to get to privilege mode.
On both switches, I have setup a local user. I though maybe the privilege levels may be different and thus controlled what level I logged in at, but that doesn't appear to be the case. Below are the user setups for both switches:
3750:
username nickd privilege 15 secret 5 ********quR/Ml0Jrp8O******
3650:
username nickd privilege 15 secret 5 ********ZlH3/sdazSAN******
What configuration forces users to log in at user level?
Thanks,
Nick
Asked:
Who is Participating?
Experts Exchange Solution brought to you by
Enjoy your complimentary solution view.
Get this solution by purchasing an Individual license!
Start your 7-day free trial.
I wear a lot of hats...
"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.
If I log into the 3750, I go into user mode. I then have to issue the "enable" command and the provide the "enable" password to get to privilege mode. This is the way I want it to be.Log in to global config mode on the 3650 and issue:
# enable password [thepassword]
(this is a plain-text, unencrypted password that can be viewed easily by issuing a "show run" command. )
A more appropriate method is to use the "enable secret [password]" which is at least encrypted and not viewable in plain-text in the running configuration.
On the 3650, when I log in, I go directly to privilege mode. On this switch, I don't have to provide the "enable" password to get to privilege mode.
This means you're logging in with usernames other than the generic Cisco login, which means the login local command is configured on your switches and the account you're login in from has its privilege level set to 15
Option 1
Disable the login local feature and use the default Cisco login, then set enable password as desired
Option 2
Create another user login and specify any level except for privilege level 15
Option 3
Downgrade the privilege level of the user account you're using from level 15
Akinsd,
If I downgrade the privilege level to say 10 can I still make configuration changes if I provide the enable password (I would lab this up if I had a spare switch, but I don't. Sorry.)
Nick
If I downgrade the privilege level to say 10 can I still make configuration changes if I provide the enable password (I would lab this up if I had a spare switch, but I don't. Sorry.)
Nick
Yes
Use 1 instead unless you plan to customize level 10
Privilege levels 2 through 14 may be customized
They are not more different from 1 with the default setting (unless you customize them)
These links may help
http://www.techrepublic.com/blog/data-center/understand-the-levels-of-privilege-in-the-cisco-ios-104552/
https://learningnetwork.cisco.com/docs/DOC-15878
Use 1 instead unless you plan to customize level 10
Privilege levels 2 through 14 may be customized
They are not more different from 1 with the default setting (unless you customize them)
These links may help
http://www.techrepublic.com/blog/data-center/understand-the-levels-of-privilege-in-the-cisco-ios-104552/
https://learningnetwork.cisco.com/docs/DOC-15878
Experts Exchange Solution brought to you by
Your issues matter to us.
Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.
Start your 7-day free trialIt's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Switches / Hubs
From novice to tech pro — start learning today.
Experts Exchange Solution brought to you by
Enjoy your complimentary solution view.
Get this solution by purchasing an Individual license!
Start your 7-day free trial.
User level login is determined by the privilege level and aaa (if used).