Re: AAA authentication

cchiahuan · ‎11-11-2005

Hi,

2 questions:

1. if I configured router IOS with aaa as "aaa authentication login default tacacs+ radius local", can I still configured line ( CTY, TTY, VTY and AUX ) with lower level security using "password" and "login"?

2. If I used the same aaa login authentication as question 1, what would happen if all network connection down but out-of-band (console) is still alive. earlier, I got into this situation that network down and I still can get into out-of-band but it did not prompt me for the local username and password ( because router can not access to tacacs+ and radius server )???

Any response is welcome, thanks in advance

Richard Burts · ‎11-11-2005

Kevin

If you configure router IOS with:

aaa authentication login default tacacs+ radius local

Then this establishes the default method for logging in to user mode. If you want to establish a different (perhaps lower) method for some connections (console, vty, or whatever) you can configure another authentication method. For example if you want to specify login with the line password for the console you might configure something like this:

line console 0

login authentication admin

!

aaa authentication login admin line

I am not clear what you are describing in questin 2. If the router can not get to the tacacs or radius server do you have local user ID and password configured or do you want to use the line passwords? Local authentication (as you show it configured) requires configuration of user names and passwords on the router. I suspect that if you change the suggested configuration to use line instead of local that you would achieve what you want.

HTH

Rick

HTH

Rick

cchiahuan · ‎11-11-2005

thanks for the reply, Rick

For the first question, I totally agree with you for configuration with "login authentication " on console, vty... What I mean is that after AAA authentication configured in the router, the router by default is going to use AAA for all access to router? And if that is the case, then the router won't allow me to configure "password" and "login" for the line instead I need to use "password" and "login authentication " for line access login authentication. Is that right?

For the second question, I appoligize for not being clear and not being valid also. Afer I posted the question, it reminds me that when I got oob to console port and the default prompt - username ( regular tacacs+ prompt login ) to login the router while the network was down, I used the tacacs+ login info instead of the local username and password that had been configured in router. Anyway, thanks for the response..

Richard Burts · ‎11-11-2005

Kevin

for point number 1: yes, after you enable aaa new-model you can no longer configure "login" for the console or vty. It must be login authentication. You can still configure "password" which is what the "line" method will check in aaa.

for point number 2: you can specify "local" in aaa and then it will use whatever you have configured on the local router for username & password or you can specify "line" & it will use the password that you have configured on the console or on the vty.

HTH

Rick

HTH

Rick

cchiahuan · ‎11-16-2005

Thanks, Rick,

I think I have all my answers for this conversation. Appreciated for both of you..