Privilege 15 login not working?

[just2cool]

Hello, I can't seem to get privilege 15 working on a Cisco 3750G switch. It doesn't even matter if I disable ssh and enable telnet instead -- it still doesn't work.

Here are sections of the run config that matter:

phys#sh run | i username
username admin secret 5 <PASSWORD>
username justin privilege 15 secret 5 <PASSWORD>

I'd imagine that something is missing here:
phys#sh run | i aaa
aaa new-model
aaa session-id common

phys#sh run | b vty 0 4
line vty 0 4
transport input ssh
line vty 5 15
transport input ssh
!
end

Login with justin via ssh gives me:
phys>sh priv
Current privilege level is 1
phys>

I don't feel like doing this everytime:
phys>en
Password:
phys#

I'm pulling my hair out...and I know that I must be doing something really stupid. I'm still rather new to Cisco equipment, but I should be able to do this! Any ideas?

 

[moetop]

Can you do that without a AAA server and users and levels defined in their?

 

[cb9fl]

aaa authentication login local_authen local
aaa auhtorization exec local_author local

 

[Fint]

That's a pretty silly thing to do, with regard to security (if someone gets the password to your 'justin' account they also have privilege on your router... two *different* passwords to compromise make it more difficult). Let me guess, you log into your workstation as a domain admin too, right?

 

[Bean Dip]

I ran into this same thing a few months back and could not figure it out. I was trying to create a helpdesk local user with priviledge level 5 and a limited command set. I knew it was because of AAA because if I disabled AAA then it worked.

just2cool, I am interested in finding out if the commands cb9fl posted solves your problem.

 

[just2cool]

That's a pretty silly thing to do, with regard to security (if someone gets the password to your 'justin' account they also have privilege on your router... two *different* passwords to compromise make it more difficult). Let me guess, you log into your workstation as a domain admin too, right?

Well, no. I know it looks like I'm just going to create an admin account. But in reality, I was just surprised that it wouldn't let me use anything above priv 1, including priv 15, even though I explicitly defined it. My intent was to try to come up with lower privs similar to Bean Dip since this will be managed by several new people.

Anyhow, those aaa commands didn't work. And yes, I fixed the typo in the second one, but still no dice.

Any other ideas? I guess I need an external RADIUS server?

 

[just2cool]

Hmm. I seemed to have fixed it and it was very close to cb9fl's suggestion.

Two commands:
aaa authentication login default local enable
aaa authorization exec default local if-authenticated

Users:
phys#sh run | i user
username user5 privilege 5 secret 5 <PASSWORD>
username user15 privilege 15 secret 5 <PASSWORD>

Test:
$ ssh user5@phys
user5@phys's password:

phys#sh priv
Current privilege level is 5
phys#conf t
^
% Invalid input detected at '^' marker.

phys#logo
Connection to phys closed.

$ ssh user15@phys
user15@phys's password:

phys#conf t
Enter configuration commands, one per line. End with CNTL/Z.
phys(config)#^Z
phys#logo
Connection to phys closed.


Much more information:
http://www.cisco.com/univercd/cc/td/doc/cisintwk/intsolns/secsols/aaasols/c262c2.htm