Skip navigation
Cisco Learning Home > Certifications > Security (CCNA Security) > Discussions

_Communities

This Question is Not Answered 1 Correct Answer available (4 pts) 2 Helpful Answers available (2 pts)
4244 Views 9 Replies Latest reply: Sep 7, 2012 10:11 AM by Harry RSS

Currently Being Moderated

username/secret   vs   username/privilege 1/secret

Sep 2, 2012 12:39 PM

Harry 163 posts since
Jun 15, 2011

Hi there,

We know that username/secret password protects the user exec mode (Router> prompt) at level 1.

Does then the command username privilege 1 secret have any sense ?

  • snickered 141 posts since
    Oct 28, 2009
    Currently Being Moderated
    1. Sep 2, 2012 8:34 PM (in response to Harry)
    Re: username/secret vs username/privilege 1/secret

    Interesting, I've never thought about that.  It doesn't look like it on my IOS.  It doesn't even show the privilege level in the running config.

     

    R1(config)#username cisco456 privilege 1 secret cisco456
    R1(config)#do sh run | i user
    username cisco123 privilege 15 secret 4 1wLgDhbOLsU0GdsP0B9e5YU2KA7gxZujqOLWf0j48q6
    username cisco456 secret 4 X/3kH1/C8zYHwxsGf8rHwV7Et/Nh0igz8m2UBXsQ7JE
    

    Be sure you use an enable password if you do this.  I've found that by default the later IOS's allow anyone to 'enable' by default.  The equivalent of 'aaa authentication enable none' in earlier IOS versions.  E.G:

     

    R1#sh run | i aaa|user
    aaa new-model
    aaa authentication login default local
    aaa authorization exec default local
    aaa session-id common
    username cisco123 privilege 15 secret 4 1wLgDhbOLsU0GdsP0B9e5YU2KA7gxZujqOLWf0j48q6
    username cisco456 secret 4 X/3kH1/C8zYHwxsGf8rHwV7Et/Nh0igz8m2UBXsQ7JE
    

     

    User Access Verification
    
    Username: cisco123
    Password:
    
    R1#
    

    And the scary one!

     

    User Access Verification
    
    Username: cisco456
    Password:
    
    R1>en
    R1#
    
  • Currently Being Moderated
    2. Sep 3, 2012 1:45 AM (in response to Harry)
    Re: username/secret vs username/privilege 1/secret

    I dont think it will have any effect at all, since level 1 is user exec mode, and level 15 is privilege exec -- I think the only customizations you can do are with levels 2-14

     

    sorry i had to look that up...

     

    0 is user,

    1-14 custom

    15 is priv exec.

     

     

     

    Message was edited by: just plain ol' Kev

  • Currently Being Moderated
    4. Sep 3, 2012 1:28 PM (in response to Harry)
    Re: username/secret vs username/privilege 1/secret

    wasnt really really offering that as an answer

     

    im as curious as you.

    sorry that was not a helpul link either, I just read it.

  • Currently Being Moderated
    7. Sep 3, 2012 1:26 PM (in response to Harry)
    Re: username/secret vs username/privilege 1/secret

    Thats what I thought, then I doubted myself.  So I fired up my Jeremy C. security nuggets and he explicitly stated 0 as user, 1-14 as custom, 15 as priv. exec.

     

    Grrrrr....this is what I mean about clear, consistent explanations of this topic.

     

    So now Im going over my old 640-553 materials and its fuzzy at best in this area.

     

    Also, lets be clear about what we are talking about - the older priv levels way of doing this, or the newer "role based" cli view style, so there is minimum confusion.

     

    What Im trying to figure out right now is with the older way of doing it, you can pick a level AND then associate command with that level.  Do you know how that  works?

     

    Is there already a subset of commands associated with each custom level (2-14) ?

     

    For example, if I make a user account and assign random levels I get different results...e.g. if I assign priv 5, then log in with that account, it puts me right into priv exec mode.  I havent tested this on each level.

     

    Im feeling a little stupid right now.

     

    My understanding of level 0 was that it was super restricted, way more than default user level 1 - please let me know about any good docs you may find.

     

    Kev

  • Currently Being Moderated
    8. Sep 3, 2012 3:16 PM (in response to Harry)
    Re: username/secret vs username/privilege 1/secret

    (nice drawing btw...)

     

    Hydir beware of PT, its seems to have buggy behaviour in this area.

     

    I wanted to test the default behaviour of the user levels 2-14, so I configured this:

     

    !

    username kevin10 privilege 10 password 0 kevin

    username kevin11 privilege 11 password 0 kevin

    username kevin12 privilege 12 password 0 kevin

    username kevin13 privilege 13 password 0 kevin

    username kevin14 privilege 14 password 0 kevin

    username kevin2 privilege 2 password 0 kevin

    username kevin3 privilege 3 password 0 kevin

    username kevin4 privilege 4 password 0 kevin

    username kevin5 privilege 5 password 0 kevin

    username kevin6 privilege 6 password 0 kevin

    username kevin7 privilege 7 password 0 kevin

    username kevin8 privilege 8 password 0 kevin

    username kevin9 privilege 9 password 0 kevin

    !

     

    The only router config I added was line con 0 local login.

     

    Whichever user I log in as the result is:

     

    Router#

    Router#conf t

                ^

    % Invalid input detected at '^' marker.

     

    Router#en

    Router#conf t

    Enter configuration commands, one per line.  End with CNTL/Z.

    Router(config)#

     

     

     

     

    So all levels (by default) take you directly to privilege exec mode (odd) , but, to REALLY be in PE mode you have to enter enable again...must be a bug.

     

     

    ...experimentation continues on real routers...

     

     

Actions

More Like This

  • Retrieving data ...

Bookmarked By (0)