cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
31140
Views
0
Helpful
8
Replies

AAA issue - Line Con 0 = login authentication (password)

david.mitchell
Level 1
Level 1

Good afternoon all,

Nice easy one for someone I'm sure.....I have only remote access to network kit and therefore cannot test Console access. 

I have a switch with the following config (Extract)

!

Username Admin password Password123

!

aaa new-model

aaa login authentication default group tacacs+ local

!

line con 0

login authentication cisco (Where cisco is representative of a password)

NOTE: I don't have username Admin password cisco within global config

My question is: With this current config will the Console access stop using the default tacacs config for authentication and only allow access to the console line if the password cisco is specified? In which case as the password is not defined in global, access would be denied?

I have seen it before where you have the exact same set up but instead of referring to a password value on the console line you specify a name-list.  For example, login authentication CONSOLE_USERS local, which would make sense, as you would be referring them to a group on the Tacacs Server named CONSOLE_USERS and only those users defined within that group could gain access via the console whilst the ACS server is running!

Any assistnace appreciated as I really wantto get my head around ACS unconditionally

Many thanks in advance

David

1 Accepted Solution

Accepted Solutions

Yes David, you can safetly remove that "login authentication cisco" from line con 0.

Regarding tacacs server have a look at:

http://www.shrubbery.net/tac_plus/

Regarding radius server i recommend freeradius for such testing.

(it has much fever capabilities then cisco ACS but it can allow you for easy testing of basic functions)

---

Michal

View solution in original post

8 Replies 8

Michal Garcarz
Cisco Employee
Cisco Employee

Hi David,

I have tried to understand your problem, but it's a bit confusing.

You have defined:

line con 0

login authentication cisco     #cisco is list-name

According to command reference for 15.3:  http://www.cisco.com/en/US/partner/docs/ios-xml/ios/security/d1/sec-cr-k1.html#GUID-297BDF33-4841-441C-83F3-4DA51C3C7284

"cisco" was the list name. What is the configuration of that list-name ?

(you put only default list-name from your configuration).

If you want to use line defined password you could do:

aaa authentication login line-list line

line con 0

password cisco

login authentication line-list

Regarding question about locally defined password. If you use list which uses "local" method and there is no specific local user - then your access will be always denied.

If you use list with "tacacs" and then "local" methods - then only when tacacs server is not responsive local username will be queried. But if tacacs server return "authentication failure/bad password" your access will be denied and "local" username will not be checked. This is a bit different then in linux/juniper configuration which will query next authentication method in case of password failure of previous method.

Please also remember that default AAA list is always overriden by specific list configured under line con 0.

---

Michal

Good Morning Michal and thanks for the reply,

Unfortunately I don't have the required access rights to view the hyperlink you have attached:(

However I know what you are saying and that is my confusion also.

If I was configuring this using the Line Con 0 command "cisco" would be a list-name and the list-name would be defined in global as aaa login authentication cisco tacacs+ local and then the cisco group would be defined on the tacacs+ server with members etc right?

The problem I have is that someone has configured login authentication cisco under Line Console 0 and the word cisco (actually takes the form of our password that we use to commision our switches prior to replacing the commision password with a proper username and password combo in global.

The commision password cisco no longer exists in the global config but it is on the line console 0.  There is no cisco name-list on the tacacs+ server or within global on the switch

I hope that clarifies the position

I guess what I am looking at on line con 0 is invalid config that is actually referring to nothing!  Which leads me on to ask: Would leaving this config in place on the console line prevent tacacs+ authentication/access to the console?

Thanks

David

Hi David,

1. right, "aaa login authentication cisco tacacs+ local" under console would try to connect with specified tacacs server for user authentication accessing console. If tacacs communication fails it will try local usernames.

2. I have made a lab, created aaa list, binded it under line con 0 - and then removed that aaa list from global config.

But "line con 0" was still referencing that non existing aaa list. And result: that list was not simple applied. I accessed router without authentication.

If you still have doubts I can clarify them but please send me result of:

sh run | s line

sh run | i aaa

--

Michal

Thanks Michal,

I think the lab would need to include aaa authentication default group tacacs+ local as well in order to see if the console authentication uses that as a fallback to the failed line console command.

Outputs as requested:

line con 0

     exec-timeout 15 0

     priviledge level 0

     logging syncronous

     login authentication cisco

aaa new-model

aaa authentication login default group tacacs+ local

aaa authentication enable default group tacacs+ enable

Cheers

David

Hi David,

You are 100% right.

Tested that.

In this scenario default AAA list is being used.

But's it's not good to rely on such config, that behavior might change - it's best to have applied AAA list which is in the config

---

Michal

Thanks Michal,

So even with the login authentication cisco on the line console the aaa authentication still refers login attempts to the default list.  Thats what I was hoping for as it proves that the current config on line con 0 login authentication cisco has no effect on login attempts, but should be removed all the same!

Agreed that list-names should be used over default group

Thanks for you assistance with this, one last question if you don't mind: Where I work I can't lab anything up,but I can at home.  Do you know where I could get a copy of Cisco TACACS 4.x for non-commercial use/lab use only as it would make tshooting aaa a whole lot easier for me.

Yes David, you can safetly remove that "login authentication cisco" from line con 0.

Regarding tacacs server have a look at:

http://www.shrubbery.net/tac_plus/

Regarding radius server i recommend freeradius for such testing.

(it has much fever capabilities then cisco ACS but it can allow you for easy testing of basic functions)

---

Michal

Petr Stepanov
Level 1
Level 1

You can use this commands ;

aaa authentication login default local
aaa authorization exec default local