> So will this do the job?, Or will I have to put the privilege level 15 in under console 0 > > >username user2 privilege 3 password 0 hello > >username user5 privilege 5 password 0 hello > >username admin privilege 15 password cisco > > >privilege configure level 5 snmp-server community * ro > >privilege configure level 5 snmp-server community * rw > >privilege configure level 5 snmp-server enable traps * > >privilege exec level 2 configure terminal > >privilege exec level 15 disable > >privilege exec level 5 show snmp session brief > >privilege exec level 5 show snmp user > > > line con 0 > >authorization commands 3 no_tacacs > >authorization commands 15 no_tacacs > >authorization exec no_tacacs > >login authentication no_tacacs > >line aux 0 > >line vty 0 4 > >authorization commands 3 lo_autho > >authorization commands 5 lo_autho > >authorization commands 15 lo_autho > >authorization exec loc_autho > >accounting commands 3 ac_tacacs > >accounting commands 15 ac_tacacs > >accounting exec ac_tacacs > > > > -----Opprinnelig melding----- > Fra: ccie study [mailto:[EMAIL PROTECTED] > Sendt: 6. august 2003 16:56 > Til: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] > Emne: Re: AAA/privilege problem > > > 1 privilege exec level 2 enable > > Is why console doesn't allow you to enable mode. When you login to your > console in your config, you login into privilege level 1 shell. Since > enable command is in 2, you dont have access to it. Even if you add "aaa > authorization commands 2 console none" To your console line, you will not be > able to access. > > 2 you're missing privilege in your user commands. "username user2 privilege > 2 password cisco". That should fix 2nd issue. > > > >From: "Jens Petter Eikeland" > >Reply-To: "Jens Petter Eikeland" > >To: , > >Subject: AAA/privilege problem > >Date: Wed, 6 Aug 2003 11:23:23 +0200 > > > >I have played with som aaa. The aaa works fine when telneting in to r2 *1, > >but when I try to go in directly from the terminal werver on to r2 and I > >type the enable command, I have locked my self out. Why is that. Which > >command is it that is locking me out from exec mode from the console > > > >*1 It seems taht user2 and user5 have the same privilege when logging inn. > >What have I done wrong?... See att the bottom > > > >And also, is this the right metod to pit in privilege level 3 and 5 on the > >vty lines to access exec mode. If I did not put in these commands I did not > >get in to exec. > >Are there some other method I am missing > > > >r2# > >01:51:31: %SYS-5-CONFIG_I: Configured from console by consolewr t > >Building configuration... > > > >Current configuration : 4576 bytes > >! > >version 12.2 > >service timestamps debug uptime > >service timestamps log uptime > >no service password-encryption > >! > >hostname r2 > >! > >aaa new-model > >aaa authentication login no_tacacs none > >aaa authentication login tac_auth group tacacs+ > >aaa authentication login loc_auth local > >aaa authorization exec no_tacacs none > >aaa authorization exec loc_autho local > >aaa authorization commands 3 no_tacacs none > >aaa authorization commands 3 lo_autho local > >aaa authorization commands 5 no_tacacs none > >aaa authorization commands 5 lo_autho local > >aaa authorization commands 15 no_tacacs none > >aaa authorization commands 15 lo_autho local > >aaa accounting exec ac_tacacs start-stop group tacacs+ > >aaa accounting commands 3 ac_tacacs start-stop group tacacs+ > >aaa accounting commands 15 ac_tacacs start-stop group tacacs+ > >! > >username user2 password 0 hello > >username user5 password 0 hello > >memory-size iomem 10 > >ip subnet-zero > >! > >! > >! > >! > >call rsvp-sync > >! > >! > >! > >! > >! > >! > >! > >! > >interface Loopback0 > >ip address 22.22.22.22 255.255.255.0 > >! > >interface Loopback1 > >ip address 122.122.122.122 255.255.255.0> > >! > >interface FastEthernet0/0 > >ip address 150.50.22.2 255.255.255.0 > >duplex auto > >speed auto > >! > >interface Serial0/0 > >no ip address > >encapsulation frame-relay > >! > >interface Serial0/0.21 point-to-point > >ip address 150.50.12.2 255.255.255.0 > >ip ospf message-digest-key 1 md5 hello > >ip ospf network point-to-point > >frame-relay interface-dlci 121 > >! > >interface Serial0/0.24 point-to-point > >ip address 150.50.24.2 255.255.255.0 > >ip ospf message-digest-key 1 md5 hello > >ip ospf network point-to-point > >frame-relay interface-dlci 124 > >! > >interface Serial0/0.26 point-to-point > >ip address 150.50.26.2 255.255.255.0 > >ip ospf message-digest-key 1 md5 hello > >ip ospf network point-to-point > >frame-relay interface-dlci 126 > >! > >interface FastEthernet0/1 > >no ip address > >shutdown > >duplex auto > >speed auto > >! > >interface Serial0/1 > >no ip address > >shutdown > >! > >router ospf 100 > >router-id 22.22.22.22 > >log-adjacency-changes > >area 1 authentication message-digest > >area 1 virtual-link 11.11.11.11 authentication message-digest > >area 1 virtual-link 11.11.11.11 message-digest-key 1 md5 hello > >area 2 authentication message-digest > >redistribute static subnets tag 1000 > >network 22.22.22.0 0.0.0.255 area 1 > >network 150.50.12.0 0.0.0.255 area 1 > >network 150.50.24.0 0.0.0.255 area 1 > >network 150.50.26.0 0.0.0.255 area 2 > >distribute-list 10 in > >! > >router bgp 4799 > >no synchronization > >bgp log-neighbor-changes > >network 122.122.122.0 mask 255.255.255.0 > >aggregate-address 202.202.0.0 255.255.0.0 as-set > >redistribute ospf 100 route-map ospftoas112 > >neighbor 11.11.11.11 remote-as 4799 > >neighbor 11.11.11.11 password hello > >neighbor 11.11.11.11 update-source Loopback0 > >neighbor 11.11.11.11 route-reflector-client > >neighbor 11.11.11.11 next-hop-self > >neighbor 11.11.11.11 soft-reconfiguration inbound > >neighbor 11.11.11.11 prefix-list bgpfilter out > >neighbor 55.55.55.55 remote-as 4799 > >neighbor 55.55.55.55 password hello > >neighbor 55.55.55.55 update-source Loopback0 > >neighbor 55.55.55.55 route-reflector-client > >neighbor 55.55.55.55 next-hop-self > >neighbor 55.55.55.55 soft-reconfiguration inbound > >neighbor 55.55.55.55 prefix-list bgpfilter out > >neighbor 150.50.22.112 remote-as 112 > >neighbor 150.50.22.112 remove-private-AS > >neighbor 150.50.22.112 soft-reconfiguration inbound > >neighbor 150.50.24.4 remote-as 65044 > >neighbor 150.50.24.4 soft-reconfiguration inbound > >neighbor 150.50.24.4 prefix-list bgpfilter out > >no auto-summary > >! > >ip classless > >ip route 160.60.15.0 255.255.255.0 150.50.12.1 > >ip tacacs source-interface Loopback0 > >ip http server > >ip pim bidir-enable > >! > >! > >ip prefix-list bgpfilter seq 10 deny 202.202.1.0/24 > >ip prefix-list bgpfilter seq 20 deny 202.202.2.0/24 > >ip prefix-list bgpfilter seq 30 deny 202.202.3.0/24 > >ip prefix-list bgpfilter seq 40 deny 202.202.4.0/24 > >ip prefix-list bgpfilter seq 50 deny 202.202.5.0/24 > >ip prefix-list bgpfilter seq 60 deny 202.202.6.0/23 le 32 > >ip prefix-list bgpfilter seq 70 deny 202.202.8.0/21 le 32 > >ip prefix-list bgpfilter seq 90 deny 202.202.16.0/22 le 32 > >ip prefix-list bgpfilter seq 100 deny 202.202.20.0/24 le 32 > >ip prefix-list bgpfilter seq 200 permit 0.0.0.0/0 le 32 > >access-list 10 deny 192.168.150.0 0.0.0.255 > >access-list 10 deny 10.10.77.0 0.0.0.255 > >access-list 10 permit any > >access-list 20 permit 150.50.12.0 0.0.0.255 > >route-map ospftoas112 permit 10 > >match ip address 20 > >! > >! > >snmp-server enable traps snmp authentication linkdown linkup coldstart > >warmstart > >snmp-server enable traps tty > >snmp-server enable traps isdn call-information > >snmp-server enable traps isdn layer2 > >snmp-server enable traps isdn chan-not-avail > >snmp-server enable traps isdn ietf > >snmp-server enable traps hsrp > >snmp-server enable traps config > >snmp-server enable traps entity> > >snmp-server enable traps envmon > >snmp-server enable traps bgp > >snmp-server enable traps ipmulticast > >snmp-server enable traps msdp > >snmp-server enable traps rsvp > >snmp-server enable traps frame-relay > >snmp-server enable traps syslog > >snmp-server enable traps rtr > >snmp-server enable traps dlsw > >snmp-server enable traps dial > >snmp-server enable traps dsp card-status > >snmp-server enable traps voice poor-qov > >snmp-server enable traps xgcp > >tacacs-server host 160.60.15.101 > >tacacs-server key hello > >! > >voice-port 1/0/0 > >! > >voice-port 1/0/1 > >! > >dial-peer cor custom > >! > >! > >! > >! > >privilege configure level 5 snmp-server community * ro > >privilege configure level 5 snmp-server community * rw > >privilege configure level 5 snmp-server enable traps * > >privilege exec level 2 configure terminal > >privilege exec level 15 disable > >privilege exec level 5 show snmp session brief > >privilege exec level 5 show snmp user > > >! > >line con 0 > >authorization commands 3 no_tacacs > >authorization commands 15 no_tacacs > >authorization exec no_tacacs > >login authentication no_tacacs > >line aux 0 > >line vty 0 4 > >privilege level 3 > >authorization commands 3 lo_autho > >authorization commands 5 lo_autho > >authorization commands 15 lo_autho > >authorization exec loc_autho > >accounting commands 3 ac_tacacs > >accounting commands 15 ac_tacacs > >accounting exec ac_tacacs > >login authentication loc_auth > > > >This happens when I try to enter enable cmd to get to exec from the consol > >connection: > > > >ts2>2 > >[Resuming connection 2 to r2 ... ] > > > >r2>en > >Translating "en"...domain server (255.255.255.255) > >(255.255.255.255) > >Translating "en"...domain server (255.255.255.255) > >% Unknown command or computer name, or unable to find computer address > > > >This is from telneting from r1 : > > > >r1#telnet 22.22.22.22 > >Trying 22.22.22.22 ... Open > > > >User Access Verification > > > >Username: user2 > >Password: > > > >r2#conf t > >Enter configuration commands, one per line. End with CNTL/Z. > >r2(config)#? > >Configure commands: > >call Configure Call parameters > >default Set a command to its defaults > >end Exit from configure mode > >exit Exit from configure mode > >help Description of the interactive help system > >no Negate a command or set its defaults > > > >r2(config)# > > > >r1#telnet 22.22.22.22 > >Trying 22.22.22.22 ... Open > > > >User Access Verification > > > >Username: user5 > >Password: > > > >r2#conf t > >Enter configuration commands, one per line. End with CNTL/Z. > >r2(config)#? > >Configure commands: > >call Configure Call parameters > >default Set a command to its defaults > >end Exit from configure mode > >exit Exit from configure mode > >help Description of the interactive help system > >no Negate a command or set its defaults > > > >r2(config)#snmp ? > >% Unrecognized command > > _________________________________________________________________ > MSN 8 helps eliminate e-mail viruses. Get 2 months FREE*. > http://join.msn.com/?page=features/virus
Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=73618&t=73618 -------------------------------------------------- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
