Maipu Administration Guide

Switch Over Between User Levels

If a user name and password of the corresponding level is configured, the user can run the enable level (0-15) command and then enter the correct password to enter the required user level. Meanwhile, the user has the execute permission of the user level and the lower levels.

If the current user level is higher than the user level that the user wants to enter, then no authentication is required, and the user directly enters the required user level. If the user level that the user wants to enter is higher than the current user level, authentication is required according to the current configuration, and the authentication mode is selected according to the configuration.

If the enable password of the corresponding level has been configured (by using the enable password level command), while the enable authentication of Authorization, Authentication and Accounting (AAA) is not configured or the AAA enable authentication is set to use the enable method, use the enable password for authentication.

If the enable password of the required level has not been configured, but the enable authentication method is set to use the local enable password for authentication, there are two cases:

In the case of a Telnet user, the login fails. If AAA has not been configured, the "% No password set" is prompted. If AAA has been configured, the "% Error in authentication" message is prompted.
For a Console port user, if AAA has been configured, try to use the enable password for authentication during the login. If the enable password has not been configured, use the none authentication method. That is, the login passes the authentication by default. If AAA has not been configured, the "% No password set" message is prompted, and the authentication fails.

If enable authentication succeeds, the user enters the specified user level and the user has execution permission of the level. To query the user level of the current user, run the show privilege command.

If the aaa authentication enable default method is configured and a related method list is used to enable authentication, then the related method is required for authentication, including:

If aaa authentication enable default none is configured, no password is required.
If aaa authentication enable default line is configured, and the line password is configured, use the password for authentication. Otherwise, the "% Error in authentication" message is prompted, and the authentication fails.
If aaa authentication enable default radius is configured, Remote Authentication Dial in User Service (RADIUS) authentication is used. Note that the enable authentication user names for RADIUS are fixed, that is, $enab+level$. Here "level" is a number in the range of 1-15, that is, the level that the user wants to enter. The RADIUS user names are fixed, therefore, during authentication, no user name is required. The user needs only to input the password. If passwords have been set for users of different levels on the RADIUS server, after inputting the correct password, the login succeeds; otherwise, the login fails. For example, in running the enable 10 command, the fixed user name is $enab10$. If the user name exists on the RADIUS server, input the password corresponding to the user name, and then the authentication succeeds.
If aaa authentication enable default tacacs is configured, Terminal Access Controller Access Control System (TACACS) authentication is used. If the user name is displayed during login, keep the user name for login, and input the enable password of the user name. Otherwise, input a user name and the enable password of the user name. If the inputted user name exists in the TACACS server and the enable password of the TACACS has been set, the authentication succeeds; otherwise, the authentication fails.

The previously mentioned enable authentication methods can form a combination in use.

Configuration Condition

None