AAA local authentication design issue
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-30-2009 08:56 AM - edited 03-10-2019 04:36 PM
I need a little help with my aaa design. here is my current design :
aaa new-model
aaa authentication login default local
aaa authentication enable default enable
aaa session-id common
username irobot secret xxxxxxx
line vty 0 4
access-class 10 in
exec-timeout 9 0
transport input ssh
When I ssh 192.168.32.1, I am challenged for a password, but not a login. If I ssh irobot@192.168.32.1 I get the password challenge, and login with the stored password. Where have I gone wrong? I would like to ssh to the switch and be challenged for a user-name and a password. Suggestions?
Poirot
- Labels:
-
AAA
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-30-2009 10:03 AM
Poirot,
Please issue login command in line vty
"login local"
Regards,
~JG
Do rate helpful
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-30-2009 10:31 AM
Thanks for the response. Here is the output of that command :
(config)#line vty 0 4
(config-line)#login local
^
% Invalid input detected at '^' marker.
This is a 2960, running Version 12.2(44)SE5.
Poirot
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-30-2009 10:36 AM
Try
Switch(config-line)#login
and then
Switch(config-line)#login local
Switch(config-line)#
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-30-2009 10:43 AM
#conf t
Enter configuration commands, one per line. End with CNTL/Z.
(config)#line vty 0 4
(config-line)#login
% Incomplete command.
(config-line)#login local
^
% Invalid input detected at '^' marker.
(config-line)#
What it will accept is login authentication default, as I did not name my local database
Poirot
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-30-2009 10:54 AM
Hi
I think you have to put in the vty lines
login authentication default
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-31-2009 03:29 AM
Thanks for the suggestion. I had entered that earlier. It accepted he command, but it does not appear in the sh run. From my understanding, that is the default when not using a named database.
Poirot
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-31-2009 04:08 AM
Of course this is correct because you already entered the username with irobot@switch_ip_address and it will prompt you for a password because the username is already entered. That's how ssh work. perhaps you need to read up on how ssh work. The other option is:
ssh -l irobot switch_ip_address
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-31-2009 04:16 AM
Thanks for the reply. The issue I was having is if I were to ssh 192.168.32.1, it does not challenge me for a login, only a password. I was trying to configure AAA to ask for both a login and password authenticated against the local database. I know that ssh irobot@ works, but that is not what I am aiming for. Now my assumptions (insert joke here) could be wrong.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-03-2009 06:55 PM
Poirot
I believe that the issue is that you are initiating the SSH from a Cisco device on which you have already authenticated. I have observed that if I am logged in on a Cisco router or switch on which I have already authenticated and then use the SSH command to initiate a session to some other Cisco device that the device from which I initiate the session already supplies the user name (based on my current login) and the device to which I am initiating the session only needs my password to log me in and authenticate correctly. One good way to check this is to initiate the ssh, get the prompt for (only) the password, enter the password, in the new session enter the command who (or show user) and see if it does not correctly have your user ID already.
I am surprised and disappointed by the suggestion from Jagdeep. I usually find his responses quite correct and helpful. But in this case when you enter aaa new-model, then login local becomes the default (as you demonstrateed when you attempted to enter the command, that it is not accepted when aaa new-model is in effect).
HTH
Rick
Rick
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-04-2009 03:39 AM
Thank you for your response. When I am initiating the SSH session, I am doing so from either my laptop or workstation. I have been staring at this trying to "see" where I went wrong, and it know it has to be there. It has to be something so tiny that I am overlooking it.
Thanks
Poirot
