3850's login local

jsherman5156 · ‎01-13-2017

So I pulled a previously config'd 3850 out of storage upgraded the code... had a heck of a time doing a config delete and vlan.dat delete but finally managed to get it done. I'm going through a switch config for a 3850 that I thought I had used months ago and after I feel fairly certain the switch was wiped properly I'm suck with vty configuration on login local. My confusion stems from the fact that we set aaa new-model for other services but we don't use TACACs or anything else,

Therefore I'm used to doing a username and password then:

line vty 0 15

transport input ssh

login local <-- Fails

What gets me is a sh run on my other 3850's reveals vty passwords but no login local. I'm running 3.6.5 on these guys and after googling it looks like the internet wants me to do the following INSTEAD of login local:

line vty 0 15

aaa authentication login default local

aaa authentication enable default enable

aaa authorization exec default local

aaa authorization console

My questions are...

How does this differ from login local?
Why does login local seem to have worked previously for switches also running aaa new-model switches and now not?
Why do my other switches seem to show vty passwords but not login local in the vty configs?

Thanks, and yes I'm kinda new to networking.

Mark Malone · ‎01-16-2017

Hi

1 so when they moved from ios to ios-xe software they removed login local , its just not as secure as AAA that's it

2 are they ios based switches , not ios-xe I would say

3 Well that's a config choice , thats even less secure than using login local

there are several ways to implement password security in Cisco AAA with ACS is the strongest , then AAA on the device itself only , then login local , then just vty password security the least secure

ios-xe is a newer written architecture and is similar to ios in syntax but works comp0letely differently

jsherman5156 · ‎01-16-2017

1. That makes sense

2. Explains why all of my in prod switches are 3850's running the same ios-xe but I see passwords on vty just no login local.

3. So instead of vty passwords I should be using?:

ine vty 0 15

aaa authentication login default local

aaa authentication enable default enable

aaa authorization exec default local

aaa authorization console

I've gotta look up what each of those is doing....

Mark Malone · ‎01-16-2017

If your not using an external ACS for tacacs or radius with AAA , you should set it this way so its local authentication

follow this doc

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3850/software/release/3se/security/configuration_guide/b_sec_3se_3850_cg/b_sec_3se_3850_cg_chapter_0111.html

jsherman5156 · ‎01-16-2017

This is helpful... Ok so I ran the global configs for vty 0 15 with a password and more importantly:

aaa authorization exec default local
aaa authorization network default local

but it doesn't prompt for my enable password. It does seem to be checking for a username and password that I've put in... but then I'm placed in enable mode.

Mark Malone · ‎01-16-2017

could you post exactly what way you have it configured with your username and any other passwords set