11 Replies Latest reply: Dec 3, 2019 7:41 AM by DavidJ RSS

    How to Remove Privileged Mode Password

    DavidJ

      How do you remove the Enable mode password so that you don't have to log into user mode and then Enable mode?

        I don't know how this happened and maybe it was a Tech adding updates, but I have three out of 12 switches that when you try to log in you have to enter both a user password and a privileged mode password.  The privileged password is the same for all three switches and is not tied to a single user.

        Luckily I know the password.  It's not a password tied to a user, it's a password to get into the Enable mode.

       

      I've compared line by line on switches that don't need the extra password with switches that do and can't find any additional commands that would add the generic password.

        All username lines are identical between switches yet only three switches have this problem.

       

      Any suggestions on how to fix this so that all you need is to log in with one password from the username string?

        • 1. Re: How to Remove Privileged Mode Password
          George

          Hello,

           

          Test with the command:

           

          no enable secret level 15


          bye.

          • 2. Re: How to Remove Privileged Mode Password
            Rob

            Hi,

             

            you can use command username Santa privilege 15 secret Xmas2019 (of course choose better password ).

            And apply command login local under line con 0 and line vty 0 4.

            But in my opinion this is not good idea because of security reasons... You should apply principle of least privilege.


             

            • 3. Re: How to Remove Privileged Mode Password
              Martin

              I like that idea of Santa with Xmas as password 

              • 4. Re: How to Remove Privileged Mode Password
                Juergen Ilse CCNA R&S

                Martin schrieb:

                 

                I like that idea of Santa with Xmas as password 

                But it ma ybe useful (to be secure for a longer time) to choose "Xmas2020" instead of "Xmas2019" as password ...

                 

                • 5. Re: How to Remove Privileged Mode Password
                  Dave

                  Why would you?

                  • 6. Re: How to Remove Privileged Mode Password
                    Daniel

                    Hi DavidJ,

                     

                    As i understood it... you have 3 switches that suddenly requests a username and a password instead of just a password?

                    And on top of that, you have to cycle through the privielege-modes?

                    Any suggestions on how to fix this so that all you need is to log in with one password from the username string?

                     

                    You can always configure the switch to authenticate into default privileges of 15 using a password.

                    Line con 0

                    privilege level 15

                    login

                    password SomeWeakPassword

                    exit

                    Line vty 0 4

                    privilege level 15

                    login

                    password SomeWeakPassword

                    exit

                    line vty 0 15

                    privilege level 15

                    login

                    password SomeWeakPassword

                    exit

                     

                    You might still need to type a password to get to privilege level 15, that's usually your "enable secret mySecret" configuration.

                     

                    So maybe check your VTY-configuration and see if anything changed there?

                    There is also a default behavior change between IOS-releases, so have you checked the IOS-releases on your switches?

                    Last but not least, there is a difference between Telnet and SSH so are you using the same transport-input? (SSH will ask for username/password)

                     

                    -HTH

                    Daniel

                    • 7. Re: How to Remove Privileged Mode Password
                      DavidJ

                      Daniel,

                      Maybe I'm getting the verbiage wrong so let me try to explain.  The normal behavior when I log in using SSH is to enter username and password and I would be at the "Privileged EXEC" mode "Switch#".

                      On three switches when I log in SSH or direct console I"m at the "User EXEC" mode.  I then have to use the enable command and enter a generic password that is the same for anyone logging into the system and raising their access level.

                      Switch> enable

                      <Enter Password>

                      Switch#

                       

                      They all have the same configurations in regards to the username and aaa syntax so I don't know why three of them would require a separate password.  They are also all the same type switch, a 3850.

                      • 8. Re: How to Remove Privileged Mode Password
                        DavidJ

                        The reason I would want to block this is because I don't want to have only one Enable Password that everyone has.

                        • 9. Re: How to Remove Privileged Mode Password
                          Ing_Percy

                          Hi!

                           

                          You could implement AAA, for example, I implemented a lab in GNS3

                          vty-router.jpg

                          R1

                          R1(config)#username user1 privilege 15 secret cisco

                          R1(config)#username user2 privilege 10 secret ccent

                          R1(config)#aaa new-model

                          R1(config)#aaa authentication login default local

                          R1(config)#aaa authorization exec default local

                           

                          R2

                          R2(config)#int f0/0

                          R2(config-if)#ip add 10.10.10.10 255.255.255.0

                          R2(config-if)#no shu

                          R2(config)#no ip routing

                          R2(config)#ip default-gateway 10.10.10.1

                           

                          Testing:

                          R2#telnet 10.10.10.1

                          Trying 10.10.10.1 ... Open

                           

                          User Access Verification

                          Username: user1

                          Password:

                           

                          R1#show privilege

                          Current privilege level is 15

                          R1#

                          R1#exit

                           

                          [Connection to 10.10.10.1 closed by foreign host]

                          R2#telnet 10.10.10.1

                          Trying 10.10.10.1 ... Open

                           

                          User Access Verification

                          Username: user2

                          Password:

                           

                          R1#show privilege

                          Current privilege level is 10

                           

                          Regards!

                          • 10. Re: How to Remove Privileged Mode Password
                            Daniel

                            Hi David,

                             

                            Don't worry about being complex. It's probably me overanalysing .

                             

                            Either case, I think you should compare your AAA-configuration as that's usually where you define what happens to authenticated users.

                            If you setup multiple users it's also possible to configure them (as suggested above) which privilege level they should gain access to.

                             

                            Switches running the same IOS on the same platform with the same configuration will....believe it or not...not behave differently .

                            That's why there is a difference, and the logical place to look for differencies would be:

                            -The AAA-configuration.

                            -The Line/TTY configurations.

                             

                            That's where you have the option to specify what privileges you will gain. In a very short version...this is how you usually tie this together:

                            AAA -> USER ->Transport Input Method

                             

                            Means that you configure your AAA for a "default privilege" based on how they authenticate. If that's not used, then you configure it with the username and password .... or you can simply tell on the VTY-lines which privilege they should get. You can also combine these in a very flexible manner.

                             

                            I would guess that there is a difference with your AAA somehow. This is an example of AAA that will do that, in most networks your AAA would be external and then this command will not work:

                            !

                            aaa new-model

                            aaa authentication login default local

                            aaa authorization commands 15 default if-authenticated

                            !

                             

                            For this to work you also have to create a username and a password local to the switch. (examples given above, but you won't need the privilege levels)

                             

                            -HTH

                            Daniel

                            • 11. Re: How to Remove Privileged Mode Password
                              DavidJ

                              George, that didn't work.  It only prevented me from logging in because there was no enable password.  I removed it and logged in using a second session.  I didn't think this would work, but I tried it "safely"....lol 

                                If you play with the enable password make sure you don't log out until you know it works.