Setting Cisco IOS Passwords 2

[starbrad]

I know there is probably a very simple answer to this question, but whatever I am doing isn't working for me. For my router I have 3 logins, and admin account and 2 user accounts. What I would like is when you login with the admin account, it just takes you to global exec, then your need to enter in the enable password afterwards to access privileged exec mode. However what my router is doing is when I go to login, i enter in the username as admin and when i enter in the password for the admin account, i goes directly to privileged exec, bypassing the enable password. I've tried creating a couple of test accounts, but they as well bypass the global exec. And, yes I have entered in the following:

(config)#enable secret ****

Does anyone know why it's bypassing the global exec mode?

Here are some sections of my config:

security authentication failure rate 10 log
security passwords min-length 6
logging buffered 4096 debugging
enable secret 5 ****

aaa authentication login xauth_list local
aaa authentication login local_auth local


username admin password 7 ****

Thanks.

Brad

 

[Minue]

Hello
Please post the complete conf.
Regards

 

[starbrad]

version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname ROUTER
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 10 log
security passwords min-length 6
logging buffered 4096 debugging
enable secret 5 *****
enable password 7 *****

!
aaa new-model
!
!
aaa authentication login xauth_list local
aaa authentication login local_auth local
!
aaa session-id common
clock timezone
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
no ip source-route
no ip gratuitous-arps
!
!
!
!
ip cef
ip domain name ROUTER
ip name-server x.x.x.x
ip name-server x.x.x.x
no ip bootp server
ip inspect name fw1 tcp
ip inspect name fw1 udp
ip inspect name fw1 ftp
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
!
!
username admin password 7 ****
username USER1 privilege 15 secret 5 *****
username USER2 privilege 15 password 7 *****
!
!
ip tcp path-mtu-discovery
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
crypto isakmp key vpn1tunnels address x.x.x.x
crypto isakmp key vpn2tunnels address x.x.x.x
crypto isakmp keepalive 60 5
!
!
crypto ipsec transform-set rtp esp-3des esp-md5-hmac
!
crypto map rtp local-address FastEthernet0
crypto map rtp 10 ipsec-isakmp
set peer x.x.x.x
set transform-set rtp
match address 100
crypto map rtp 20 ipsec-isakmp
set peer x.x.x.x
set transform-set rtp
match address 101
!

[INTERFACE INFORMATION]

!
line con 0
exec-timeout 5 0
login authentication local_auth
transport output telnet
line 1
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
login authentication local_auth
transport output telnet
line vty 0 4
privilege level 15
login authentication local_auth
transport input telnet ssh
!

 

[vipergg]

Try adding "aaa authentication login default enable" .

 

[vipergg]

First might be wrong try this.

aaa authentication enable default group enable

 

[brianinms]

line vty 0 4
privilege level 15

If you are connecting via telnet you are assigning yourself priv 15 when you connect. Remove the above statement and it should work correctly.

 

[starbrad]

I got it to work. It was actually a combination of both of your answers that I needed:

aaa authorization exec local_author local

line vty 0 4
access-class 23 in
privilege level 15
authorization exec local_author
login authentication local_auth
transport input ssh

That combination worked and now privileged exec mode is locked out.

Thanks for all your help, much appreciated.

Brad