Re: Login through console with AAA

Taruka001 · ‎04-07-2005

Hi there,

After going through some topics and trying everything I could fine I am relaying on you all to help me further before I loose my mind. ;)

I have an Access Point for R&D and have configured several items for AAA, such as login in through the telnet interface with your useraccount from AD, accounting is being logged, etc etc. So far I am happy with it.

But, to have a backdoor into the device I need to be able to log on locally to the device using the console cable in case of an ACS server not being present. And this is not working for me.

I have a local user name and password on the device itself. Which I can use to login through the telnet option, and it brings me straight into enable mode. But using this account with the console it brings me to priv level 1. When typing ENABLE I can specify the password that belongs to this local account but it is not excepted. Instead I get:

Username: admin

Password:

AP-HOSTNAME>ena

Password:

% Error in authentication.

AP-HOSTNAME>

Pasted below you can find my current config regarding the login methods:

aaa authentication login default local group tac_admin group rad_admin

aaa authentication enable default group tacacs+ enable

aaa authorization exec default local group tac_admin group rad_admin

aaa accounting commands 15 default start-stop group tacacs+

I have tried to change this line

aaa authorization exec default local group tac_admin group rad_admin

into

aaa authorization exec default local group tac_admin group rad_admin if-authenticated

but it had no result...

Anybody any suggestions for me to try out?

paddyxdoyle · ‎04-07-2005

Hi,

Try the following:

router(config)#aaa authentication login console local

router(config)#line con 0

router(config-line)#login authentication console

Rgds

Paddy

Taruka001 · ‎04-07-2005

Hi,

Thanks for the answer. My config now looks like this...

aaa authentication login default local group tac_admin group rad_admin

aaa authentication login console local

aaa authentication enable default group tacacs+ enable

aaa authorization exec default local group tac_admin group rad_admin

aaa accounting commands 15 default start-stop group tacacs+

aaa session-id common

dot11 phone

dot11 location isocc

line con 0

login authentication console

line vty 5 15

When I try to log in with the console cable I get the following error message when I switch to ENABLE mode.

User Access Verification

Username: admin

Password:

AP-HOSTNAME>ena

Password:

% Error in authentication.

AP-HOSTNAME>

Richard Burts · ‎04-12-2005

I am not clear from these posts whether there is an enable password (or enable secret) configured or not. And I am not clear what password you are entering when you attempt to go into enable mode from the console.

I believe the crux of the problem is that aaa is specifying tacacs for authentication of enable. If you do have it working that your telnet session goes directly into privilege mode then I do not think that you need to point at tacacs for enable. I would suggest changing this:

aaa authentication enable default group tacacs+ enable

into

aaa authentication enable default enable

This should allow you to authenticate into privilege mode from the console using the enable password (which should be configured if it is not already configured).

HTH

Rick

HTH

Rick

scsullivan · ‎07-11-2006

Sniff the packets coming into your AAA server. You will notice, when going through the console, AAA is authenticating with a username of 'enable'. So, you need to make a AAA account for user 'enable'. I ran into the same problem when gonig through the console port.