9 Replies Latest reply: Sep 7, 2012 10:11 AM by Sherbini RSS

    username/secret   vs   username/privilege 1/secret

    Sherbini

      Hi there,

      We know that username/secret password protects the user exec mode (Router> prompt) at level 1.

      Does then the command username privilege 1 secret have any sense ?

        • 1. Re: username/secret   vs   username/privilege 1/secret
          snickered

          Interesting, I've never thought about that.  It doesn't look like it on my IOS.  It doesn't even show the privilege level in the running config.

           

          R1(config)#username cisco456 privilege 1 secret cisco456
          R1(config)#do sh run | i user
          username cisco123 privilege 15 secret 4 1wLgDhbOLsU0GdsP0B9e5YU2KA7gxZujqOLWf0j48q6
          username cisco456 secret 4 X/3kH1/C8zYHwxsGf8rHwV7Et/Nh0igz8m2UBXsQ7JE
          

          Be sure you use an enable password if you do this.  I've found that by default the later IOS's allow anyone to 'enable' by default.  The equivalent of 'aaa authentication enable none' in earlier IOS versions.  E.G:

           

          R1#sh run | i aaa|user
          aaa new-model
          aaa authentication login default local
          aaa authorization exec default local
          aaa session-id common
          username cisco123 privilege 15 secret 4 1wLgDhbOLsU0GdsP0B9e5YU2KA7gxZujqOLWf0j48q6
          username cisco456 secret 4 X/3kH1/C8zYHwxsGf8rHwV7Et/Nh0igz8m2UBXsQ7JE
          

           

          User Access Verification
          
          Username: cisco123
          Password:
          
          R1#
          

          And the scary one!

           

          User Access Verification
          
          Username: cisco456
          Password:
          
          R1>en
          R1#
          
          • 2. Re: username/secret   vs   username/privilege 1/secret
            just plain old Kev

            I dont think it will have any effect at all, since level 1 is user exec mode, and level 15 is privilege exec -- I think the only customizations you can do are with levels 2-14

             

            sorry i had to look that up...

             

            0 is user,

            1-14 custom

            15 is priv exec.

             

             

             

            Message was edited by: just plain ol' Kev

            • 3. Re: username/secret   vs   username/privilege 1/secret
              Sherbini

              well, I appreciate your reply. however I'm going to wait for more opinions.

              because Cisco did it not for nothing. there must be a reason.

              • 4. Re: username/secret   vs   username/privilege 1/secret
                just plain old Kev

                wasnt really really offering that as an answer

                 

                im as curious as you.

                sorry that was not a helpul link either, I just read it.

                • 5. Re: username/secret   vs   username/privilege 1/secret
                  Sherbini

                  Do you think that username/privilege1/secret is only useful on later IOS's ?

                  • 6. Re: username/secret   vs   username/privilege 1/secret
                    Sherbini

                    No Kev, you were right.

                    By default, the Cisco IOS CLI has two levels of access to commands:

                    user EXEC mode (level 1) and

                    privileged EXEC mode (level 15).

                    http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/scfpass.html

                     

                    moreover I made this draw:

                    pri lev.JPG

                     

                    please members... don't ignore my question... the main subject of this duscussion.

                    • 7. Re: username/secret   vs   username/privilege 1/secret
                      just plain old Kev

                      Thats what I thought, then I doubted myself.  So I fired up my Jeremy C. security nuggets and he explicitly stated 0 as user, 1-14 as custom, 15 as priv. exec.

                       

                      Grrrrr....this is what I mean about clear, consistent explanations of this topic.

                       

                      So now Im going over my old 640-553 materials and its fuzzy at best in this area.

                       

                      Also, lets be clear about what we are talking about - the older priv levels way of doing this, or the newer "role based" cli view style, so there is minimum confusion.

                       

                      What Im trying to figure out right now is with the older way of doing it, you can pick a level AND then associate command with that level.  Do you know how that  works?

                       

                      Is there already a subset of commands associated with each custom level (2-14) ?

                       

                      For example, if I make a user account and assign random levels I get different results...e.g. if I assign priv 5, then log in with that account, it puts me right into priv exec mode.  I havent tested this on each level.

                       

                      Im feeling a little stupid right now.

                       

                      My understanding of level 0 was that it was super restricted, way more than default user level 1 - please let me know about any good docs you may find.

                       

                      Kev

                      • 8. Re: username/secret   vs   username/privilege 1/secret
                        just plain old Kev

                        (nice drawing btw...)

                         

                        Hydir beware of PT, its seems to have buggy behaviour in this area.

                         

                        I wanted to test the default behaviour of the user levels 2-14, so I configured this:

                         

                        !

                        username kevin10 privilege 10 password 0 kevin

                        username kevin11 privilege 11 password 0 kevin

                        username kevin12 privilege 12 password 0 kevin

                        username kevin13 privilege 13 password 0 kevin

                        username kevin14 privilege 14 password 0 kevin

                        username kevin2 privilege 2 password 0 kevin

                        username kevin3 privilege 3 password 0 kevin

                        username kevin4 privilege 4 password 0 kevin

                        username kevin5 privilege 5 password 0 kevin

                        username kevin6 privilege 6 password 0 kevin

                        username kevin7 privilege 7 password 0 kevin

                        username kevin8 privilege 8 password 0 kevin

                        username kevin9 privilege 9 password 0 kevin

                        !

                         

                        The only router config I added was line con 0 local login.

                         

                        Whichever user I log in as the result is:

                         

                        Router#

                        Router#conf t

                                    ^

                        % Invalid input detected at '^' marker.

                         

                        Router#en

                        Router#conf t

                        Enter configuration commands, one per line.  End with CNTL/Z.

                        Router(config)#

                         

                         

                         

                         

                        So all levels (by default) take you directly to privilege exec mode (odd) , but, to REALLY be in PE mode you have to enter enable again...must be a bug.

                         

                         

                        ...experimentation continues on real routers...

                         

                         

                        • 9. Re: username/secret   vs   username/privilege 1/secret
                          Sherbini

                          No one know the difference ?