Enable Secret password Help

[quickconnect]

I am wondering why a couple of my routers dont prompt me for the for username or enable secret passoword. Basically when I telnet to the router (1750) I am only prompted for the password and throuhs me right into enable mode??

Here is parrt of my config
logging buffered 4096 informational
enable secret 5 **********************
!
username all
username admin password 7 *******************
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
no aaa new-model
ip subnet-zero
no ip source-route
!
!
line con 0
exec-timeout 5 0
password 7 *********
login local
line aux 0
exec-timeout 5 0
password 7 **********
modem InOut
modem autoconfigure type usr_sportster
transport input all
stopbits 1
speed 115200
flowcontrol hardware
line vty 0 4
privilege level 15
password 7 ************
login
transport input telnet ssh
line vty 5 15
privilege level 15
login local
transport input telnet ssh

 

[gwildfire]

You need to add the following



Conf t

aaa new-model

aaa authentication fail-message ^C Failed login. Try again. ^C

you have "no aaa new-model" in your running config!

username xxxxxxx password xxxxxxxx


Visit

http://www.Cisco-Engineer.com

for free Cisco rack access.

 

[lambent]

do this:

line vty 0 15
no privilege level 15
login local

 

[jneiberger]

lambent is correct--take out the "privilege level 15" command. That instructs the router to immediately place a user into "enable" mode upon logging into the router.

 

[quickconnect]

Thanks for all the help.. I have mage the changes that lambent suggested and everything is working correctly.

 

[quickconnect]

OK I have another question since I got the password thing situated. Currently im allowed to Telnet to the inside interface. How can I change it to only allow SSH ONLY.

Do I just change this from
transport input telnet ssh

to

transport input ssh

 

[lambent]

I suggest you configure SSH and test it before restricted the transport input to SSH only. So do this: (make sure your IOS support SSH)

!
ip domain-name

http://www.quickconnect.com

!
cry key generate rsa
ip ssh time-out 30
ip ssh authentication-retries 3
!
line vty 0 15
transport input telnet ssh
!

Try to SSH into your router. If success, then:

!
line vty 0 15
no transport input telnet
!

But of course if you have console access then you don't have to be so careful.

 

[quickconnect]

lambent

Thanks I will give it a try... Currently all or most of our VPN routers are international so our access is through the VPN Tunnel Via telnet or SSH...

 

[quickconnect]

Ok before I make the change I want to make sure that when I SSH into the router im not going right to enable mode. If I enter line vty 0 15 doesnt that log me into enable mode?

Currently I have line vty 0 4 so I should be able to just add Correct???
!
ip domain-name

http://www.quickconnect.com

!
cry key generate rsa
ip ssh time-out 30
ip ssh authentication-retries 3
!
line vty 0 15
transport input telnet ssh


Also is line con 0 used fpr access from the outside interface? if so I can so the same as the inside interface for SSH correct?

 

[lambent]

once you remove the "privilege level 15" it should be fine and won't go to enable mode once you login.

Yes you can just use "line vty 0 4" if you just have line 0 to 4.

"line con 0" is for console access.