Re: NEW TO CISCO SWITCHES - PLEASE HELP

rania20052006 · ‎10-23-2005

DEAR ALL,

I AM STILL NEW TO THE CISCO SWITCHS, AND WHILE I WAS WORKING I FOUND SOMETHING FOR CISCO SWITCH WHICH I AM WORKING ON IT .

I AM HAVEING CISCO SWITCH 2950 SERIES AND I AM USING THE CONSOL TO CONNECT TO IT .

NOW, MY MANGER ASKED ME TO PROVIDE TELNET CONNECTION TO THE SWITCH WITH PASSWORD.

I DID IT AND ITS WORKING.

HE IS ASKING ME FOR SOMETHING ELSE, HE WANTS TO CRATE USER NAME & PASSWORD FOR EACH USER ON THE CISCO SWITCH WHICH WE HAVE & EVERY ONE WHEN HE IS TELNET TO THE SWITCH HE SHOULD PUT HIS USER NAME & PASWWORD & THEN CONNECT.

MY QUESTION IS, HOW CAN I MAKE THIS TO WORK WITHOUT USING ( CISCO SECURE TACKS ) , IS IT POSSIBLE.

IF SO, CAN ANY ONE HELP ME TO DO THAT .,

Georg Pauwen · ‎10-23-2005

Hello,

you can use local authentication on the switch. Let's say you want user Ahmed with password ramadan to connect to the switch, you would define a local username and password pair on the switch:

Switch#conf t

Switch(config)#username Ahmed password 0 ramadan

Then, under th terminal lines, you would configure 'login local':

Switch#conf t

Switch(config)#line vty 0 4

Switch(config-line)#login local

Now every time somebody telnets into the switch, that person has to enter a valid username and password, which has to be configured on the switch locally as described above...

Does that make sense ?

Regards,

GP

rania20052006 · ‎10-23-2005

Hi;

First thanks for your reply .

Happy Ramadan for you .

Regarding that, if i have say 5 users & all of them will connect to the switch by tellnet, so the steps which i have to follow is :-

1- create Password for each telnet line.

2- Create user name & Password for each user.

but why i have to make the login local as you mention in that step:-

=====================================================

Then, under th terminal lines, you would configure 'login local':

Switch#conf t

Switch(config)#line vty 0 4

Switch(config-line)#login local

====================================================

Georg Pauwen · ‎10-24-2005

As-Salaam Alaikom,

exactly, you need to create a username & password for each user. The 'login local' tells the line to check the local database for authentication, that is, to check the username and passwords you have previously configured...

Does that make sense ? Let me know if you need more help.

Regards,

GP

rania20052006 · ‎10-24-2005

Thanks for your reply.

Actually , i do understand what do you mean by that.

but, can i know what is the different between the using user name & Password locally & using the cisco scure tacks .

can you also write the command which i need to write it on the switch to do that .

Thanks for your help.

Georg Pauwen · ‎10-24-2005

Hello,

for TACACS+ authentication on the VTY lines, configure the following on your switch:

aaa group server tacacs+ tacgrp server x.x.x.x

aaa authentication login default local

aaa authentication login login-auth-list group tacgrp local line

aaa authorization exec login-auth-list group tacacs+ if-authenticated

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

line vty 0 4

access-class 11 in

login authentication login-auth-list

authorization exec login-auth-list

Is that what you are asking ?

Regards,

GP

pankajs · ‎10-24-2005

you can use username password command in global configuration mode. Then mention login local in vty line mode.

hacabrera001 · ‎10-24-2005

Yes, It is totally possible...

Instead of using a TACACS+ (or RADIUS) Server to authenticate the users you can just use the local database to do it....

The only problem is that you need to create all the usernames and passwords on the local database.

If that is OK with you, you can just use the following commands:

----------------------------------------

username USER password PASS

aaa new-model

aaa authentication login default local

----------------------------------------

On the first line you setup a username (USER) and password (PASS) for each user you have. NOTE: Be very careful so you dont get locked out of your switch. First of all, Create a username and password for the administrator (you), then you can create all the rest of the users.

On the Second line you tell the Switch/Router that it will take from now on a new database instance. (In this case it is gonna be a local database).

On the third line you tell the Switch/Router that it will authenticate every login attempt with the local database of users (the one that you just created).

How many users are going to be loging on to the Switch??? If you have so many I'm pretty sure that your best option is TACACS+ or RADIUS (NOTE: It can be an OpenSource TACACS+ or RADIUS Server, It doesnt have to be a Cisco Secure ACS Server), but, if you have less than 20 users I guess that the local database its going to be enough.

If you need any other information please do not hesitate in contact me.

See Ya!!!