本文探讨了在Cisco ASA 5510上遇到的特权级别登录问题,详细解释了为什么登录时会默认处于特权级别1,并提供了三种不同场景下的解决方案,涉及enable authentication配置的影响。
问题示例:
I have created a test user that is set to privilege 15 in the config:
When I log in to the ASA 5510 I am in privilege 1 according to sh curpriv:
Attempting enable fails even though I know I have the correct enable password:
Logging in from unprivileged puts me on privilege 15 and I can do as a please:
The only thing I can track this to is a configuration change I made where I removed a VPN user we no longer needed.
Why do I start at privilege level 1 when logging into a Cisco ASA 5510?
得到的解答:
The ASA uses a slightly different model than traditional IOS routers and this where some of the confusion sits. The second piece is whether or not aaa authentication enable console LOCAL is configured.
ASA使用的模型与传统的IOS路由器略有不同,而且这种模式存在一些混乱。 第二部分是否配置了“aaa authentication enable console LOCAL”。
Scenario 1 - Enable Authentication Not Configured
Relevant ASA config
Results
If enable authentication is not configured, a user with privilege 15 must still use the enable password to enter privileged exec mode if entering privileged exec mode through enable.
Scenario 2 - Enable Authentication Not Configured but using login
Relevant ASA config
Results
If enable authentication is not configured, a user with privilege 15 can use the login command to enter privileged exec mode without knowing or using the enable password.
Scenario 3 - Enable Authentication Configured
Relevant ASA config
Results
If enable authentication is configured, a user with privilege 15 can use login or enable to gain access to privileged exec mode. If using enable, the password required will be the user password and not the enable password.
来自 <https://serverfault.com/questions/330758/why-do-i-start-at-privilege-level-1-when-logging-into-a-cisco-asa-5510>
扫一扫
1390
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
