How can I prevent logging into privilege exec mode on a Cisco Switch

ndalmolin_13
ndalmolin_13 used Ask the Experts™
on
Hello Cisco Experts,

I have two Cisco switches (one a 3750 and one a 3650).  If I log into the 3750, I go into user mode.  I then have to issue the "enable" command and the provide the "enable" password to get to privilege mode.  This is the way I want it to be.

On the 3650, when I log in, I go directly to privilege mode.  On this switch, I don't have to provide the "enable" password to get to privilege mode.  

I want to change the configuration on the 3650 to require me to input the "enable" password to get to privilege mode.

On both switches, I have setup a local user.  I though maybe the privilege levels may be different and thus controlled what level I logged in at, but that doesn't appear to be the case.  Below are the user setups for both switches:

3750:
username nickd privilege 15 secret 5 ********quR/Ml0Jrp8O**********.

3650:
username nickd privilege 15 secret 5 ********ZlH3/sdazSAN**********.

What configuration forces users to log in at user level?

Thanks,
Nick
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Most Valuable Expert 2015

Commented:
Are you running aaa?

User level login is determined by the privilege level and aaa (if used).
Matt MinorTechnical Systems Analyst

Commented:
If I log into the 3750, I go into user mode.  I then have to issue the "enable" command and the provide the "enable" password to get to privilege mode.  This is the way I want it to be.
Log in to global config mode on the 3650 and issue:
# enable password [thepassword]
(this is a plain-text, unencrypted password that can be viewed easily by issuing a "show run" command. )

A more appropriate method is to use the "enable secret [password]" which is at least encrypted and not viewable in plain-text in the running configuration.
AkinsdNetwork Administrator

Commented:
On the 3650, when I log in, I go directly to privilege mode.  On this switch, I don't have to provide the "enable" password to get to privilege mode.  

This means you're logging in with usernames other than the generic Cisco login, which means the login local command is configured on your switches and the account you're login in from has its privilege level set to 15

Option 1
Disable the login local feature and use the default Cisco login, then set enable password as desired

Option 2
Create another user login and specify any level except for privilege level 15

Option 3
Downgrade the privilege level of the user account you're using from level 15

Author

Commented:
Akinsd,

If I downgrade the privilege level to say 10 can I still make configuration changes if I provide the enable password (I would lab this up if I had a spare switch, but I don't.  Sorry.)

Nick
Network Administrator
Commented:
Yes
Use 1 instead unless you plan to customize level 10
Privilege levels 2 through 14 may be customized
They are not more different from 1 with the default setting (unless you customize them)

These links may help
http://www.techrepublic.com/blog/data-center/understand-the-levels-of-privilege-in-the-cisco-ios-104552/

https://learningnetwork.cisco.com/docs/DOC-15878

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial