3

Note: All password have been replaced or redacted.

I'm trying to create a (rancid repo) account that can use the command "show run" without enabling and using a second password.

Right now, I add user lion with the command "username lion privilege 15 secret raplegend" but when I login as that user with password raplegend, I can't do the "sh run" command without doing

enable

password: reggaegod

Here are the relevant parts of the running-config file. I have replaced password hashes with fake plaintext for convenience.

version 12.2

enable secret 5 [redacted]
!
username snoop privilege 15 secret 5 raplegend
username lion privilege 15 secret 5 raplegend
aaa new-model
!
line con 0
line vty 0 4
 password 7 reggaegod
 transport input ssh
line vty 5 15
 password 7 reggaegod
 transport input ssh
!

What am I missing here? Thanks!

gozu
  • 313
  • 2
  • 6
  • 14
  • 1
    I think your problem is that you have snoop as one user and lion as another, when snoop lion is actually a single individual. – MDMarra Aug 08 '12 at 17:33

2 Answers2

4

I tested this quickly on 12.2(46a), and I needed to add the following to make it work:

aaa authorization exec default local

Of course, if you're using more than just local accounts (e.g. TACACS+), you'll need to modify the statement to accommodate those accounts. Make sure you test it with another SSH session before logging out of the first one, because you won't be able to login to fix it if it doesn't work.

Also, since aaa new-model is configured, the default configuration for VTY lines is the equivalent of the old local local command, so the password commands should not be needed.

James Sneeringer
  • 6,755
  • 23
  • 27
1

If you're using TACACS or RADIUS then you'll need to pass an av-pair value back for that account to be automatically escalated to enable level. Google TACACS av-pair.

James
  • 143
  • 7