Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!
  • Students Click Here

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Students Click Here


vty privilege issue

vty privilege issue

vty privilege issue

I created a new user ( config below) that i want only priv level to be active on ssh login But when i ssh into box the user has 15 or 1. When i remove pri 15 in vty 0 15
then admin is asked for en password. how to i make it so when admin logs in it has 15 and when user jes logs in get 5?

username tert privilege 15 password 7 0509140057452A49401D16574574571C04
username admin privilege 15 password 7 0847422451E11105D75474575470F1D
username jes privilege 5 password 7 12130044410254764574570F05
aaa new-model
aaa authentication login default local
privilege interface level 5 switchport
privilege interface level 5 description
privilege configure level 5 interface
privilege exec level 5 configure terminal
privilege exec level 5 configure
privilege exec level 5 show vlan
privilege exec level 5 show running-config
privilege exec level 5 show

line con 0
access-class sshaccess in
privilege level 15
password 7 01100F54430255656E172E
logging synchronous
line vty 0 4
session-timeout 35791
timeout login response 300
privilege level 15
transport input ssh
line vty 5 15
session-timeout 35791
timeout login response 300
privilege level 15
transport input ssh

RE: vty privilege issue

add <login local> to your VTY. (Remove the priv 15 from the interface)
It will point back to the rights on the login rather than the rights set on the interface.
lose the AAA bits.
Additionally you could use all kinds of access lists to make them do whatever you want.
Google for Cisco IOS-Cookbook, I think it will help you.

and oh yeah.. don't post your passwords in Cisco7 format here if they are the real ones, there are tools out there to decode those you know?..
Preferrably replace password witch secret.

RE: vty privilege issue


thanks for response . I was lazy of removing the hash. but i did add more numbers and letters in each of them for that reason.

As for removing removing the aaa bits? I thought that is needed so i can login via telnet/ssh? I dont want to lock myself out

RE: vty privilege issue

I just tried adding login local, but i dont see it .. all i see is "login authentication default" and that did not work?

RE: vty privilege issue

Hi spivy66,
example straight from Cisco:

Configure Local User-Specific Passwords

To establish a username-based authentication system, use the username command in global configuration mode. To enable password checking at login, use the login local command in line configuration mode.

Configuration Procedure

In this example, passwords are configured for users attempting to connect to the router on the VTY lines using Telnet.
From the privileged EXEC (or "enable") prompt, enter configuration mode and enter username/password combinations, one for each user for whom you want to allow access to the router:

router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
router(config)#username russ password montecito
router(config)#username cindy password belgium
router(config)#username mike password rottweiler

Switch to line configuration mode, using the following commands. Notice that the prompt changes to reflect the current mode.

router(config)#line vty 0 4
Configure password checking at login.

router(config-line)#login local

Exit configuration mode.

%SYS-5-CONFIG_I: Configured from console by console

As for AAA, you had half a config, you can use, but don't need the AAA-new statement.
This is required when using Tacacs or Radius authentication.

Red Flag This Post

Please let us know here why this post is inappropriate. Reasons such as off-topic, duplicates, flames, illegal, vulgar, or students posting their homework.

Red Flag Submitted

Thank you for helping keep Tek-Tips Forums free from inappropriate posts.
The Tek-Tips staff will check this out and take appropriate action.

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members!

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close