11-11-2005 08:41 AM - edited 03-10-2019 02:22 PM
Hi,
2 questions:
1. if I configured router IOS with aaa as "aaa authentication login default tacacs+ radius local", can I still configured line ( CTY, TTY, VTY and AUX ) with lower level security using "password" and "login"?
2. If I used the same aaa login authentication as question 1, what would happen if all network connection down but out-of-band (console) is still alive. earlier, I got into this situation that network down and I still can get into out-of-band but it did not prompt me for the local username and password ( because router can not access to tacacs+ and radius server )???
Any response is welcome, thanks in advance
11-11-2005 10:10 AM
Kevin
If you configure router IOS with:
aaa authentication login default tacacs+ radius local
Then this establishes the default method for logging in to user mode. If you want to establish a different (perhaps lower) method for some connections (console, vty, or whatever) you can configure another authentication method. For example if you want to specify login with the line password for the console you might configure something like this:
line console 0
login authentication admin
!
aaa authentication login admin line
I am not clear what you are describing in questin 2. If the router can not get to the tacacs or radius server do you have local user ID and password configured or do you want to use the line passwords? Local authentication (as you show it configured) requires configuration of user names and passwords on the router. I suspect that if you change the suggested configuration to use line instead of local that you would achieve what you want.
HTH
Rick
11-11-2005 12:59 PM
thanks for the reply, Rick
For the first question, I totally agree with you for configuration with "login authentication
For the second question, I appoligize for not being clear and not being valid also. Afer I posted the question, it reminds me that when I got oob to console port and the default prompt - username ( regular tacacs+ prompt login ) to login the router while the network was down, I used the tacacs+ login info instead of the local username and password that had been configured in router. Anyway, thanks for the response..
11-11-2005 04:39 PM
Kevin
for point number 1: yes, after you enable aaa new-model you can no longer configure "login" for the console or vty. It must be login authentication. You can still configure "password" which is what the "line" method will check in aaa.
for point number 2: you can specify "local" in aaa and then it will use whatever you have configured on the local router for username & password or you can specify "line" & it will use the password that you have configured on the console or on the vty.
HTH
Rick
11-16-2005 10:11 AM
Thanks, Rick,
I think I have all my answers for this conversation. Appreciated for both of you..
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide