1 privilege exec level 2 enable Is why console doesn't allow you to enable mode. When you login to your console in your config, you login into privilege level 1 shell. Since enable command is in 2, you dont have access to it. Even if you add "aaa authorization commands 2 console none" To your console line, you will not be able to access.
2 you're missing privilege in your user commands. "username user2 privilege 2 password cisco". That should fix 2nd issue. >From: "Jens Petter Eikeland" >Reply-To: "Jens Petter Eikeland" >To: , >Subject: AAA/privilege problem >Date: Wed, 6 Aug 2003 11:23:23 +0200 > >I have played with som aaa. The aaa works fine when telneting in to r2 *1, >but when I try to go in directly from the terminal werver on to r2 and I >type the enable command, I have locked my self out. Why is that. Which >command is it that is locking me out from exec mode from the console > >*1 It seems taht user2 and user5 have the same privilege when logging inn. >What have I done wrong?... See att the bottom > >And also, is this the right metod to pit in privilege level 3 and 5 on the >vty lines to access exec mode. If I did not put in these commands I did not >get in to exec. >Are there some other method I am missing > >r2# >01:51:31: %SYS-5-CONFIG_I: Configured from console by consolewr t >Building configuration... > >Current configuration : 4576 bytes >! >version 12.2 >service timestamps debug uptime >service timestamps log uptime >no service password-encryption >! >hostname r2 >! >aaa new-model >aaa authentication login no_tacacs none >aaa authentication login tac_auth group tacacs+ >aaa authentication login loc_auth local >aaa authorization exec no_tacacs none >aaa authorization exec loc_autho local >aaa authorization commands 3 no_tacacs none >aaa authorization commands 3 lo_autho local >aaa authorization commands 5 no_tacacs none >aaa authorization commands 5 lo_autho local >aaa authorization commands 15 no_tacacs none >aaa authorization commands 15 lo_autho local >aaa accounting exec ac_tacacs start-stop group tacacs+ >aaa accounting commands 3 ac_tacacs start-stop group tacacs+ >aaa accounting commands 15 ac_tacacs start-stop group tacacs+ >! >username user2 password 0 hello >username user5 password 0 hello >memory-size iomem 10 >ip subnet-zero >! >! >! >! >call rsvp-sync >! >! >! >! >! >! >! >! >interface Loopback0 >ip address 22.22.22.22 255.255.255.0 >! >interface Loopback1 >ip address 122.122.122.122 255.255.255.0 >! >interface FastEthernet0/0 >ip address 150.50.22.2 255.255.255.0 >duplex auto >speed auto >! >interface Serial0/0 >no ip address >encapsulation frame-relay >! >interface Serial0/0.21 point-to-point >ip address 150.50.12.2 255.255.255.0 >ip ospf message-digest-key 1 md5 hello >ip ospf network point-to-point >frame-relay interface-dlci 121 >! >interface Serial0/0.24 point-to-point >ip address 150.50.24.2 255.255.255.0 >ip ospf message-digest-key 1 md5 hello >ip ospf network point-to-point >frame-relay interface-dlci 124 >! >interface Serial0/0.26 point-to-point >ip address 150.50.26.2 255.255.255.0 >ip ospf message-digest-key 1 md5 hello >ip ospf network point-to-point >frame-relay interface-dlci 126 >! >interface FastEthernet0/1 >no ip address >shutdown >duplex auto >speed auto >! >interface Serial0/1 >no ip address >shutdown >! >router ospf 100 >router-id 22.22.22.22 >log-adjacency-changes >area 1 authentication message-digest >area 1 virtual-link 11.11.11.11 authentication message-digest >area 1 virtual-link 11.11.11.11 message-digest-key 1 md5 hello >area 2 authentication message-digest >redistribute static subnets tag 1000 >network 22.22.22.0 0.0.0.255 area 1 >network 150.50.12.0 0.0.0.255 area 1 >network 150.50.24.0 0.0.0.255 area 1 >network 150.50.26.0 0.0.0.255 area 2 >distribute-list 10 in >! >router bgp 4799 >no synchronization >bgp log-neighbor-changes >network 122.122.122.0 mask 255.255.255.0 >aggregate-address 202.202.0.0 255.255.0.0 as-set >redistribute ospf 100 route-map ospftoas112 >neighbor 11.11.11.11 remote-as 4799 >neighbor 11.11.11.11 password hello >neighbor 11.11.11.11 update-source Loopback0 >neighbor 11.11.11.11 route-reflector-client >neighbor 11.11.11.11 next-hop-self >neighbor 11.11.11.11 soft-reconfiguration inbound >neighbor 11.11.11.11 prefix-list bgpfilter out >neighbor 55.55.55.55 remote-as 4799 >neighbor 55.55.55.55 password hello >neighbor 55.55.55.55 update-source Loopback0 >neighbor 55.55.55.55 route-reflector-client >neighbor 55.55.55.55 next-hop-self >neighbor 55.55.55.55 soft-reconfiguration inbound >neighbor 55.55.55.55 prefix-list bgpfilter out >neighbor 150.50.22.112 remote-as 112 >neighbor 150.50.22.112 remove-private-AS >neighbor 150.50.22.112 soft-reconfiguration inbound >neighbor 150.50.24.4 remote-as 65044 >neighbor 150.50.24.4 soft-reconfiguration inbound >neighbor 150.50.24.4 prefix-list bgpfilter out >no auto-summary >! >ip classless >ip route 160.60.15.0 255.255.255.0 150.50.12.1 >ip tacacs source-interface Loopback0 >ip http server >ip pim bidir-enable >! >! >ip prefix-list bgpfilter seq 10 deny 202.202.1.0/24 >ip prefix-list bgpfilter seq 20 deny 202.202.2.0/24 >ip prefix-list bgpfilter seq 30 deny 202.202.3.0/24 >ip prefix-list bgpfilter seq 40 deny 202.202.4.0/24 >ip prefix-list bgpfilter seq 50 deny 202.202.5.0/24 >ip prefix-list bgpfilter seq 60 deny 202.202.6.0/23 le 32 >ip prefix-list bgpfilter seq 70 deny 202.202.8.0/21 le 32 >ip prefix-list bgpfilter seq 90 deny 202.202.16.0/22 le 32 >ip prefix-list bgpfilter seq 100 deny 202.202.20.0/24 le 32 >ip prefix-list bgpfilter seq 200 permit 0.0.0.0/0 le 32 >access-list 10 deny 192.168.150.0 0.0.0.255 >access-list 10 deny 10.10.77.0 0.0.0.255 >access-list 10 permit any >access-list 20 permit 150.50.12.0 0.0.0.255 >route-map ospftoas112 permit 10 >match ip address 20 >! >! >snmp-server enable traps snmp authentication linkdown linkup coldstart >warmstart >snmp-server enable traps tty >snmp-server enable traps isdn call-information >snmp-server enable traps isdn layer2 >snmp-server enable traps isdn chan-not-avail >snmp-server enable traps isdn ietf >snmp-server enable traps hsrp >snmp-server enable traps config >snmp-server enable traps entity >snmp-server enable traps envmon >snmp-server enable traps bgp >snmp-server enable traps ipmulticast >snmp-server enable traps msdp >snmp-server enable traps rsvp >snmp-server enable traps frame-relay >snmp-server enable traps syslog >snmp-server enable traps rtr >snmp-server enable traps dlsw >snmp-server enable traps dial >snmp-server enable traps dsp card-status >snmp-server enable traps voice poor-qov >snmp-server enable traps xgcp >tacacs-server host 160.60.15.101 >tacacs-server key hello >! >voice-port 1/0/0 >! >voice-port 1/0/1 >! >dial-peer cor custom >! >! >! >! >privilege configure level 5 snmp-server community * ro >privilege configure level 5 snmp-server community * rw >privilege configure level 5 snmp-server enable traps * >privilege exec level 2 configure terminal >privilege exec level 15 disable >privilege exec level 5 show snmp session brief >privilege exec level 5 show snmp user >privilege exec level 2 enable >! >line con 0 >authorization commands 3 no_tacacs >authorization commands 15 no_tacacs >authorization exec no_tacacs >login authentication no_tacacs >line aux 0 >line vty 0 4 >privilege level 3 >authorization commands 3 lo_autho >authorization commands 5 lo_autho >authorization commands 15 lo_autho >authorization exec loc_autho >accounting commands 3 ac_tacacs >accounting commands 15 ac_tacacs >accounting exec ac_tacacs >login authentication loc_auth > >This happens when I try to enter enable cmd to get to exec from the consol >connection: > >ts2>2 >[Resuming connection 2 to r2 ... ] > >r2>en >Translating "en"...domain server (255.255.255.255) >(255.255.255.255) >Translating "en"...domain server (255.255.255.255) >% Unknown command or computer name, or unable to find computer address > >This is from telneting from r1 : > >r1#telnet 22.22.22.22 >Trying 22.22.22.22 ... Open > >User Access Verification > >Username: user2 >Password: > >r2#conf t >Enter configuration commands, one per line. End with CNTL/Z. >r2(config)#? >Configure commands: >call Configure Call parameters >default Set a command to its defaults >end Exit from configure mode >exit Exit from configure mode >help Description of the interactive help system >no Negate a command or set its defaults > >r2(config)# > >r1#telnet 22.22.22.22 >Trying 22.22.22.22 ... Open > >User Access Verification > >Username: user5 >Password: > >r2#conf t >Enter configuration commands, one per line. End with CNTL/Z. >r2(config)#? >Configure commands: >call Configure Call parameters >default Set a command to its defaults >end Exit from configure mode >exit Exit from configure mode >help Description of the interactive help system >no Negate a command or set its defaults > >r2(config)#snmp ? >% Unrecognized command _________________________________________________________________ MSN 8 helps eliminate e-mail viruses. Get 2 months FREE*. http://join.msn.com/?page=features/virus Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=73610&t=73610 -------------------------------------------------- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html