AAA local authentication design issue

poirot1967 · ‎07-30-2009

I need a little help with my aaa design. here is my current design :

aaa new-model

aaa authentication login default local

aaa authentication enable default enable

aaa session-id common

username irobot secret xxxxxxx

line vty 0 4

access-class 10 in

exec-timeout 9 0

transport input ssh

When I ssh 192.168.32.1, I am challenged for a password, but not a login. If I ssh irobot@192.168.32.1 I get the password challenge, and login with the stored password. Where have I gone wrong? I would like to ssh to the switch and be challenged for a user-name and a password. Suggestions?

Poirot

Jagdeep Gambhir · ‎07-30-2009

Poirot,

Please issue login command in line vty

"login local"

Regards,

~JG

Do rate helpful

poirot1967 · ‎07-30-2009

Thanks for the response. Here is the output of that command :

(config)#line vty 0 4

(config-line)#login local

^

% Invalid input detected at '^' marker.

This is a 2960, running Version 12.2(44)SE5.

Poirot

Jagdeep Gambhir · ‎07-30-2009

Try

Switch(config-line)#login

and then

Switch(config-line)#login local

Switch(config-line)#

poirot1967 · ‎07-30-2009

#conf t

Enter configuration commands, one per line. End with CNTL/Z.

(config)#line vty 0 4

(config-line)#login

% Incomplete command.

(config-line)#login local

^

% Invalid input detected at '^' marker.

(config-line)#

What it will accept is login authentication default, as I did not name my local database

Poirot

leninpena · ‎07-30-2009

Hi

I think you have to put in the vty lines

login authentication default

poirot1967 · ‎07-31-2009

Thanks for the suggestion. I had entered that earlier. It accepted he command, but it does not appear in the sh run. From my understanding, that is the default when not using a named database.

Poirot

cisco24x7 · ‎07-31-2009

Of course this is correct because you already entered the username with irobot@switch_ip_address and it will prompt you for a password because the username is already entered. That's how ssh work. perhaps you need to read up on how ssh work. The other option is:

ssh -l irobot switch_ip_address

poirot1967 · ‎07-31-2009

Thanks for the reply. The issue I was having is if I were to ssh 192.168.32.1, it does not challenge me for a login, only a password. I was trying to configure AAA to ask for both a login and password authenticated against the local database. I know that ssh irobot@ works, but that is not what I am aiming for. Now my assumptions (insert joke here) could be wrong.

Richard Burts · ‎08-03-2009

Poirot

I believe that the issue is that you are initiating the SSH from a Cisco device on which you have already authenticated. I have observed that if I am logged in on a Cisco router or switch on which I have already authenticated and then use the SSH command to initiate a session to some other Cisco device that the device from which I initiate the session already supplies the user name (based on my current login) and the device to which I am initiating the session only needs my password to log me in and authenticate correctly. One good way to check this is to initiate the ssh, get the prompt for (only) the password, enter the password, in the new session enter the command who (or show user) and see if it does not correctly have your user ID already.

I am surprised and disappointed by the suggestion from Jagdeep. I usually find his responses quite correct and helpful. But in this case when you enter aaa new-model, then login local becomes the default (as you demonstrateed when you attempted to enter the command, that it is not accepted when aaa new-model is in effect).

HTH

Rick

HTH

Rick

poirot1967 · ‎08-04-2009

Thank you for your response. When I am initiating the SSH session, I am doing so from either my laptop or workstation. I have been staring at this trying to "see" where I went wrong, and it know it has to be there. It has to be something so tiny that I am overlooking it.

Thanks

Poirot