01-13-2017 11:43 AM
So I pulled a previously config'd 3850 out of storage upgraded the code... had a heck of a time doing a config delete and vlan.dat delete but finally managed to get it done. I'm going through a switch config for a 3850 that I thought I had used months ago and after I feel fairly certain the switch was wiped properly I'm suck with vty configuration on login local. My confusion stems from the fact that we set aaa new-model for other services but we don't use TACACs or anything else,
Therefore I'm used to doing a username and password then:
line vty 0 15
transport input ssh
login local <-- Fails
What gets me is a sh run on my other 3850's reveals vty passwords but no login local. I'm running 3.6.5 on these guys and after googling it looks like the internet wants me to do the following INSTEAD of login local:
line vty 0 15
aaa authentication login default local
aaa authentication enable default enable
aaa authorization exec default local
aaa authorization console
My questions are...
Thanks, and yes I'm kinda new to networking.
01-16-2017 02:49 AM
Hi
1 so when they moved from ios to ios-xe software they removed login local , its just not as secure as AAA that's it
2 are they ios based switches , not ios-xe I would say
3 Well that's a config choice , thats even less secure than using login local
there are several ways to implement password security in Cisco AAA with ACS is the strongest , then AAA on the device itself only , then login local , then just vty password security the least secure
ios-xe is a newer written architecture and is similar to ios in syntax but works comp0letely differently
01-16-2017 06:03 AM
1. That makes sense
2. Explains why all of my in prod switches are 3850's running the same ios-xe but I see passwords on vty just no login local.
3. So instead of vty passwords I should be using?:
ine vty 0 15
aaa authentication login default local
aaa authentication enable default enable
aaa authorization exec default local
aaa authorization console
I've gotta look up what each of those is doing....
01-16-2017 07:28 AM
If your not using an external ACS for tacacs or radius with AAA , you should set it this way so its local authentication
follow this doc
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3850/software/release/3se/security/configuration_guide/b_sec_3se_3850_cg/b_sec_3se_3850_cg_chapter_0111.html
01-16-2017 08:53 AM
This is helpful... Ok so I ran the global configs for vty 0 15 with a password and more importantly:
aaa authorization exec default local
aaa authorization network default local
but it doesn't prompt for my enable password. It does seem to be checking for a username and password that I've put in... but then I'm placed in enable mode.
01-16-2017 08:56 AM
could you post exactly what way you have it configured with your username and any other passwords set
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide