Getting user-mode after logging in with aaa user at privilege 15

Had an interesting issue today.  I enabled AAA Authentication on a used Cisco 3560 switch.  I then created a user with privilege 15.  But, every time I used either telnet or SSH, I was always getting User Mode.  I wanted Priveleged Mode.

Since the highest level of privilege commands is 15, I should be getting full permissions if my user is ALSO set at privilege 15, right?  Well, it does, but first there was a tiny configuration that needs to happen.  First, let’s enable AAA on the device:

big-old-switch(config)# aaa new-model

Now, let’s create a user:

big-old-switch (config)# username neteng privilege 15 secret blahblahblah

Now, I have a user account with privilege level 15.  All I need to do is telnet to my device, and I’m golden, right?  Let’s do that:

[root@host ~] telnet 1.2.3.4 

Trying 1.2.3.4... 
Connected to big-old-switch (1.2.3.4). 
Escape character is '^]'. 

User Access Verification 
Username: neteng 
Password: 

big-old-switch> 
Wait, what?  Why am I not in enable mode?  I should have privilege 15, right?  Let’s check:
 
big-old-switch>show priv
Current privilege level is 1
big-old-switch>
 
Now, hold on a sec.  Cisco, have you gone stupid?  I just created a user account with privilege 15.  I know…. because I just logged in as him.  What gives?  
 

The Answer:

 
Well, for starters, I called Cisco stupid.  These devices can be *very* temperamental.  Once I got off my high horse (and asked on Twitter), I realized I didn’t have any authorization statements.  The winning statement here?
 
	
big-old-switch(config)# aaa authorization exec default local
 
This sets the exec shell level according to AAA, which, in my case is 15.  NOW, let’s try it again!
 
[root@host ~] telnet 1.2.3.4 
Trying 1.2.3.4... 

Connected to big-old-switch (1.2.3.4). 
Escape character is '^]'. 

User Access Verification 
Username: neteng 
Password:  

big-old-switch# 
big-old-switch#show priv 
Current privilege level is 15 
big-old-switch#
 
Eureka!  Thanks Twitter! (actually @revolutionwifi and @xanthien).  There were others, but these two got it first.  smiley I hope this helps someone else.  I didn’t see any posts, so either I’m the only one who has had this problem, or someone just hasn’t written about it yet.  Since AAA has been around for a long time, I’m willing to bet, it’s just me having an off day.  Yeah, that’s it.  I’m getting more coffee.  
 
Share This Page : Share on TwitterShare on FacebookShare on GooglePlusShare on PinterestShare on Linkedin