vty privilege issue

[spivy66]

I created a new user ( config below) that i want only priv level to be active on ssh login But when i ssh into box the user has 15 or 1. When i remove pri 15 in vty 0 15
then admin is asked for en password. how to i make it so when admin logs in it has 15 and when user jes logs in get 5?


username tert privilege 15 password 7 0509140057452A49401D16574574571C04
username admin privilege 15 password 7 0847422451E11105D75474575470F1D
username jes privilege 5 password 7 12130044410254764574570F05
aaa new-model
!
!
aaa authentication login default local
privilege interface level 5 switchport
privilege interface level 5 description
privilege configure level 5 interface
privilege exec level 5 configure terminal
privilege exec level 5 configure
privilege exec level 5 show vlan
privilege exec level 5 show running-config
privilege exec level 5 show

line con 0
access-class sshaccess in
privilege level 15
password 7 01100F54430255656E172E
logging synchronous
line vty 0 4
session-timeout 35791
timeout login response 300
privilege level 15
transport input ssh
line vty 5 15
session-timeout 35791
timeout login response 300
privilege level 15
transport input ssh

 

[telcoguy]

add <login local> to your VTY. (Remove the priv 15 from the interface)
It will point back to the rights on the login rather than the rights set on the interface.
lose the AAA bits.
Additionally you could use all kinds of access lists to make them do whatever you want.
Google for Cisco IOS-Cookbook, I think it will help you.


and oh yeah.. don't post your passwords in Cisco7 format here if they are the real ones, there are tools out there to decode those you know?..
Preferrably replace password witch secret.

 

[spivy66]

Telcoguy,

thanks for response . I was lazy of removing the hash. but i did add more numbers and letters in each of them for that reason.

As for removing removing the aaa bits? I thought that is needed so i can login via telnet/ssh? I dont want to lock myself out

 

[spivy66]

I just tried adding login local, but i dont see it .. all i see is "login authentication default" and that did not work?

 

[telcoguy]

Hi spivy66,
example straight from Cisco:


Configure Local User-Specific Passwords

To establish a username-based authentication system, use the username command in global configuration mode. To enable password checking at login, use the login local command in line configuration mode.

Configuration Procedure

In this example, passwords are configured for users attempting to connect to the router on the VTY lines using Telnet.
1.
From the privileged EXEC (or "enable") prompt, enter configuration mode and enter username/password combinations, one for each user for whom you want to allow access to the router:

router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
router(config)#username russ password montecito
router(config)#username cindy password belgium
router(config)#username mike password rottweiler

2.
Switch to line configuration mode, using the following commands. Notice that the prompt changes to reflect the current mode.

router(config)#line vty 0 4
router(config-line)#
3.
Configure password checking at login.

router(config-line)#login local

4.
Exit configuration mode.

router(config-line)#end
router#
%SYS-5-CONFIG_I: Configured from console by console


As for AAA, you had half a config, you can use, but don't need the AAA-new statement.
This is required when using Tacacs or Radius authentication.