topic Re: AAA configuration on cisco 9300 in Network Access Control

AAA configuration on cisco 9300

bilalsheikh77 — Thu, 11 Aug 2022 14:26:56 GMT

I am trying to configure a AAA configuration on cisco 9300 switch. but lost here.

for line vty i need local database to be checked ( as this stack is not going to be attached with tacacs+ server)
I have local enable secret password.

config below is not working as it is keep asking for username/password on con 0

I do have line con 0 password

Sample config is as follow .

******************
username admin privilege 15 secret 5 Test123@@
!
enable secret Test123##
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication enable default enable
aaa authorization exec default local
!
line con 0
password 7 Test123@@
line aux 0
line vty 0 4
password 7 Test123@@
line vty 5 15
password 7 Test123@@
!
end
!
wr
!

Re: AAA configuration on cisco 9300

MHM Cisco World — Thu, 11 Aug 2022 14:43:05 GMT

aaa authentication login default local<<<- you need this command to make Router as AAA for username/password
!
line vty 0 4
login authentication default <<- if you use different method name then specify.

https://www.cisco.com/c/en/us/td/docs/optical/cpt/r9_3/configuration/guide/cpt93_configuration/cpt93_configuration_chapter_010000.pdf

check this link for more detail

NOTE:- I MAKE double check cisco not prefer use AAA for console, console prefer to be local, but for VTY you can use AAA

Re: AAA configuration on cisco 9300

balaji.bandi — Thu, 11 Aug 2022 14:34:11 GMT

If you have not saved config, you reboot, so your config gone to default.

i do not see config in VTY lines as below :

login authentication default

Re: AAA configuration on cisco 9300

bilalsheikh77 — Thu, 11 Aug 2022 15:09:36 GMT

username admin privilege 15 secret 9 Test123@@
!
enable secret Test123##
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication enable default enable
aaa authorization exec default local
!
line con 0
!
line vty 0 4
transport input all login authentication default
!
line vty 5-15
transport input all
login authentication default
!

my concern is for console use the local line password and for vty use the local database

Re: AAA configuration on cisco 9300

MHM Cisco World — Fri, 12 Aug 2022 00:03:20 GMT

I make small lab for this,
again I prefer config the console with login and config password under it.

the lab
I use the rotary to make me decide which VTY I can access,
there are three
1- login with password under the VTY
2- login using aaa auth and local password (local meaning the username and password config in global mode)
3- login using aaa auth and line password (line meaning the password config under VTY not in global mode)

Issue with aaa auth and local or line
let me explain, this fallback depend on the failed of AAA server and fallback to local or line BUT what if some bug or issue between the SW and AAA

the SW still need to declear the AAA id dead before try local or line
and that WHY I prefer login with password under the VTY

NOTEIC:- MY LAB FOR VTY AND AS I MENTION EACH SW OR ROUTER HAVE SPECIAL BEHAVE WITH CONSOLE AND AAA DEAD
""""FRIEND BE CARFULL""""

Re: AAA configuration on cisco 9300

Ambuj M — Thu, 11 Aug 2022 15:25:44 GMT

if you don't want any password for line console then use this

aaa authentication login NO_AUTH none

line console 0