https://community.cisco.com/t5/network-access-control/aaa-local-authentication-design-issue/m-p/1328119#M405321 <HTML><HEAD></HEAD><BODY><P>Thank you for your response. When I am initiating the SSH session, I am doing so from either my laptop or workstation. I have been staring at this trying to "see" where I went wrong, and it know it has to be there. It has to be something so tiny that I am overlooking it.</P><P></P><P>Thanks</P><P>Poirot </P></BODY></HTML> Tue, 04 Aug 2009 10:39:57 GMT poirot1967 2009-08-04T10:39:57Z https://community.cisco.com/t5/network-access-control/aaa-local-authentication-design-issue/m-p/1328109#M405311 <P>I need a little help with my aaa design. here is my current design :</P><P></P><P>aaa new-model</P><P>aaa authentication login default local</P><P>aaa authentication enable default enable</P><P>aaa session-id common</P><P></P><P>username irobot secret xxxxxxx</P><P></P><P>line vty 0 4</P><P>access-class 10 in </P><P>exec-timeout 9 0</P><P>transport input ssh</P><P></P><P></P><P>When I ssh 192.168.32.1, I am challenged for a password, but not a login. If I ssh irobot@192.168.32.1 I get the password challenge, and login with the stored password. Where have I gone wrong? I would like to ssh to the switch and be challenged for a user-name and a password. Suggestions?</P><P></P><P></P><P>Poirot</P> Sun, 10 Mar 2019 23:36:59 GMT https://community.cisco.com/t5/network-access-control/aaa-local-authentication-design-issue/m-p/1328109#M405311 poirot1967 2019-03-10T23:36:59Z https://community.cisco.com/t5/network-access-control/aaa-local-authentication-design-issue/m-p/1328110#M405312 <HTML><HEAD></HEAD><BODY><P>Poirot,</P><P>Please issue login command in line vty</P><P></P><P></P><P>"login local"</P><P></P><P></P><P>Regards,</P><P>~JG</P><P></P><P>Do rate helpful </P></BODY></HTML> Thu, 30 Jul 2009 17:03:52 GMT https://community.cisco.com/t5/network-access-control/aaa-local-authentication-design-issue/m-p/1328110#M405312 Jagdeep Gambhir 2009-07-30T17:03:52Z https://community.cisco.com/t5/network-access-control/aaa-local-authentication-design-issue/m-p/1328111#M405313 <HTML><HEAD></HEAD><BODY><P>Thanks for the response. Here is the output of that command :</P><P></P><P>(config)#line vty 0 4 </P><P>(config-line)#login local</P><P> ^</P><P>% Invalid input detected at '^' marker.</P><P></P><P>This is a 2960, running Version 12.2(44)SE5.</P><P></P><P></P><P>Poirot</P></BODY></HTML> Thu, 30 Jul 2009 17:31:11 GMT https://community.cisco.com/t5/network-access-control/aaa-local-authentication-design-issue/m-p/1328111#M405313 poirot1967 2009-07-30T17:31:11Z https://community.cisco.com/t5/network-access-control/aaa-local-authentication-design-issue/m-p/1328112#M405314 <HTML><HEAD></HEAD><BODY><P>Try </P><P></P><P>Switch(config-line)#login</P><P></P><P></P><P>and then </P><P></P><P>Switch(config-line)#login local</P><P>Switch(config-line)#</P><P></P><P></P></BODY></HTML> Thu, 30 Jul 2009 17:36:59 GMT https://community.cisco.com/t5/network-access-control/aaa-local-authentication-design-issue/m-p/1328112#M405314 Jagdeep Gambhir 2009-07-30T17:36:59Z https://community.cisco.com/t5/network-access-control/aaa-local-authentication-design-issue/m-p/1328113#M405315 <HTML><HEAD></HEAD><BODY><P>#conf t</P><P>Enter configuration commands, one per line. End with CNTL/Z.</P><P>(config)#line vty 0 4</P><P>(config-line)#login</P><P>% Incomplete command.</P><P></P><P>(config-line)#login local</P><P> ^</P><P>% Invalid input detected at '^' marker.</P><P></P><P>(config-line)#</P><P></P><P></P><P>What it will accept is login authentication default, as I did not name my local database</P><P></P><P></P><P>Poirot</P><P></P></BODY></HTML> Thu, 30 Jul 2009 17:43:02 GMT https://community.cisco.com/t5/network-access-control/aaa-local-authentication-design-issue/m-p/1328113#M405315 poirot1967 2009-07-30T17:43:02Z https://community.cisco.com/t5/network-access-control/aaa-local-authentication-design-issue/m-p/1328114#M405316 <HTML><HEAD></HEAD><BODY><P>Hi </P><P></P><P>I think you have to put in the vty lines</P><P></P><P>login authentication default</P><P></P><P></P></BODY></HTML> Thu, 30 Jul 2009 17:54:24 GMT https://community.cisco.com/t5/network-access-control/aaa-local-authentication-design-issue/m-p/1328114#M405316 leninpena 2009-07-30T17:54:24Z https://community.cisco.com/t5/network-access-control/aaa-local-authentication-design-issue/m-p/1328115#M405317 <HTML><HEAD></HEAD><BODY><P>Thanks for the suggestion. I had entered that earlier. It accepted he command, but it does not appear in the sh run. From my understanding, that is the default when not using a named database.</P><P></P><P>Poirot</P></BODY></HTML> Fri, 31 Jul 2009 10:29:17 GMT https://community.cisco.com/t5/network-access-control/aaa-local-authentication-design-issue/m-p/1328115#M405317 poirot1967 2009-07-31T10:29:17Z https://community.cisco.com/t5/network-access-control/aaa-local-authentication-design-issue/m-p/1328116#M405318 <HTML><HEAD></HEAD><BODY><P>Of course this is correct because you already entered the username with irobot@switch_ip_address and it will prompt you for a password because the username is already entered. That's how ssh work. perhaps you need to read up on how ssh work. The other option is:</P><P></P><P>ssh -l irobot switch_ip_address</P></BODY></HTML> Fri, 31 Jul 2009 11:08:46 GMT https://community.cisco.com/t5/network-access-control/aaa-local-authentication-design-issue/m-p/1328116#M405318 cisco24x7 2009-07-31T11:08:46Z https://community.cisco.com/t5/network-access-control/aaa-local-authentication-design-issue/m-p/1328117#M405319 <HTML><HEAD></HEAD><BODY><P>Thanks for the reply. The issue I was having is if I were to ssh 192.168.32.1, it does not challenge me for a login, only a password. I was trying to configure AAA to ask for both a login and password authenticated against the local database. I know that ssh irobot@ works, but that is not what I am aiming for. Now my assumptions (insert joke here) could be wrong.</P></BODY></HTML> Fri, 31 Jul 2009 11:16:09 GMT https://community.cisco.com/t5/network-access-control/aaa-local-authentication-design-issue/m-p/1328117#M405319 poirot1967 2009-07-31T11:16:09Z https://community.cisco.com/t5/network-access-control/aaa-local-authentication-design-issue/m-p/1328118#M405320 <HTML><HEAD></HEAD><BODY><P>Poirot</P><P></P><P>I believe that the issue is that you are initiating the SSH from a Cisco device on which you have already authenticated. I have observed that if I am logged in on a Cisco router or switch on which I have already authenticated and then use the SSH command to initiate a session to some other Cisco device that the device from which I initiate the session already supplies the user name (based on my current login) and the device to which I am initiating the session only needs my password to log me in and authenticate correctly. One good way to check this is to initiate the ssh, get the prompt for (only) the password, enter the password, in the new session enter the command who (or show user) and see if it does not correctly have your user ID already.</P><P></P><P>I am surprised and disappointed by the suggestion from Jagdeep. I usually find his responses quite correct and helpful. But in this case when you enter aaa new-model, then login local becomes the default (as you demonstrateed when you attempted to enter the command, that it is not accepted when aaa new-model is in effect).</P><P></P><P>HTH</P><P></P><P>Rick</P></BODY></HTML> Tue, 04 Aug 2009 01:55:26 GMT https://community.cisco.com/t5/network-access-control/aaa-local-authentication-design-issue/m-p/1328118#M405320 Richard Burts 2009-08-04T01:55:26Z https://community.cisco.com/t5/network-access-control/aaa-local-authentication-design-issue/m-p/1328119#M405321 <HTML><HEAD></HEAD><BODY><P>Thank you for your response. When I am initiating the SSH session, I am doing so from either my laptop or workstation. I have been staring at this trying to "see" where I went wrong, and it know it has to be there. It has to be something so tiny that I am overlooking it.</P><P></P><P>Thanks</P><P>Poirot </P></BODY></HTML> Tue, 04 Aug 2009 10:39:57 GMT https://community.cisco.com/t5/network-access-control/aaa-local-authentication-design-issue/m-p/1328119#M405321 poirot1967 2009-08-04T10:39:57Z