Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
28343
Views
0
Helpful
8
Replies

AAA issue - Line Con 0 = login authentication (password)

Go to solution
david.mitchell
Level 1
Level 1

‎01-17-2013 04:51 AM - edited ‎03-10-2019 07:59 PM

Good afternoon all,

Nice easy one for someone I'm sure.....I have only remote access to network kit and therefore cannot test Console access. 

I have a switch with the following config (Extract)

!

Username Admin password Password123

!

aaa new-model

aaa login authentication default group tacacs+ local

!

line con 0

login authentication cisco (Where cisco is representative of a password)

NOTE: I don't have username Admin password cisco within global config

My question is: With this current config will the Console access stop using the default tacacs config for authentication and only allow access to the console line if the password cisco is specified? In which case as the password is not defined in global, access would be denied?

I have seen it before where you have the exact same set up but instead of referring to a password value on the console line you specify a name-list.  For example, login authentication CONSOLE_USERS local, which would make sense, as you would be referring them to a group on the Tacacs Server named CONSOLE_USERS and only those users defined within that group could gain access via the console whilst the ACS server is running!

Any assistnace appreciated as I really wantto get my head around ACS unconditionally

Many thanks in advance

David

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Michal Garcarz
Cisco Employee
Cisco Employee
In response to david.mitchell

‎01-18-2013 04:21 AM

Yes David, you can safetly remove that "login authentication cisco" from line con 0.

Regarding tacacs server have a look at:

http://www.shrubbery.net/tac_plus/

Regarding radius server i recommend freeradius for such testing.

(it has much fever capabilities then cisco ACS but it can allow you for easy testing of basic functions)

---

Michal

View solution in original post

0 Helpful
8 Replies 8

Go to solution
Michal Garcarz
Cisco Employee
Cisco Employee

‎01-18-2013 01:27 AM

Hi David,

I have tried to understand your problem, but it's a bit confusing.

You have defined:

line con 0

login authentication cisco     #cisco is list-name

According to command reference for 15.3:  http://www.cisco.com/en/US/partner/docs/ios-xml/ios/security/d1/sec-cr-k1.html#GUID-297BDF33-4841-441C-83F3-4DA51C3C7284

"cisco" was the list name. What is the configuration of that list-name ?

(you put only default list-name from your configuration).

If you want to use line defined password you could do:

aaa authentication login line-list line

line con 0

password cisco

login authentication line-list

Regarding question about locally defined password. If you use list which uses "local" method and there is no specific local user - then your access will be always denied.

If you use list with "tacacs" and then "local" methods - then only when tacacs server is not responsive local username will be queried. But if tacacs server return "authentication failure/bad password" your access will be denied and "local" username will not be checked. This is a bit different then in linux/juniper configuration which will query next authentication method in case of password failure of previous method.

Please also remember that default AAA list is always overriden by specific list configured under line con 0.

---

Michal

0 Helpful

Go to solution
david.mitchell
Level 1
Level 1
In response to Michal Garcarz

‎01-18-2013 02:24 AM

Good Morning Michal and thanks for the reply,

Unfortunately I don't have the required access rights to view the hyperlink you have attached:(

However I know what you are saying and that is my confusion also.

If I was configuring this using the Line Con 0 command "cisco" would be a list-name and the list-name would be defined in global as aaa login authentication cisco tacacs+ local and then the cisco group would be defined on the tacacs+ server with members etc right?

The problem I have is that someone has configured login authentication cisco under Line Console 0 and the word cisco (actually takes the form of our password that we use to commision our switches prior to replacing the commision password with a proper username and password combo in global.

The commision password cisco no longer exists in the global config but it is on the line console 0.  There is no cisco name-list on the tacacs+ server or within global on the switch

I hope that clarifies the position

I guess what I am looking at on line con 0 is invalid config that is actually referring to nothing!  Which leads me on to ask: Would leaving this config in place on the console line prevent tacacs+ authentication/access to the console?

Thanks

David

0 Helpful

Go to solution
Michal Garcarz
Cisco Employee
Cisco Employee
In response to david.mitchell

‎01-18-2013 02:53 AM

Hi David,

1. right, "aaa login authentication cisco tacacs+ local" under console would try to connect with specified tacacs server for user authentication accessing console. If tacacs communication fails it will try local usernames.

2. I have made a lab, created aaa list, binded it under line con 0 - and then removed that aaa list from global config.

But "line con 0" was still referencing that non existing aaa list. And result: that list was not simple applied. I accessed router without authentication.

If you still have doubts I can clarify them but please send me result of:

sh run | s line

sh run | i aaa

--

Michal

0 Helpful

Go to solution
david.mitchell
Level 1
Level 1
In response to Michal Garcarz

‎01-18-2013 03:28 AM

Thanks Michal,

I think the lab would need to include aaa authentication default group tacacs+ local as well in order to see if the console authentication uses that as a fallback to the failed line console command.

Outputs as requested:

line con 0

     exec-timeout 15 0

     priviledge level 0

     logging syncronous

     login authentication cisco

aaa new-model

aaa authentication login default group tacacs+ local

aaa authentication enable default group tacacs+ enable

Cheers

David

0 Helpful

Go to solution
Michal Garcarz
Cisco Employee
Cisco Employee
In response to david.mitchell

‎01-18-2013 03:41 AM

Hi David,

You are 100% right.

Tested that.

In this scenario default AAA list is being used.

But's it's not good to rely on such config, that behavior might change - it's best to have applied AAA list which is in the config

---

Michal

0 Helpful

Go to solution
david.mitchell
Level 1
Level 1
In response to Michal Garcarz

‎01-18-2013 04:12 AM

Thanks Michal,

So even with the login authentication cisco on the line console the aaa authentication still refers login attempts to the default list.  Thats what I was hoping for as it proves that the current config on line con 0 login authentication cisco has no effect on login attempts, but should be removed all the same!

Agreed that list-names should be used over default group

Thanks for you assistance with this, one last question if you don't mind: Where I work I can't lab anything up,but I can at home.  Do you know where I could get a copy of Cisco TACACS 4.x for non-commercial use/lab use only as it would make tshooting aaa a whole lot easier for me.

0 Helpful

Go to solution
Michal Garcarz
Cisco Employee
Cisco Employee
In response to david.mitchell

‎01-18-2013 04:21 AM

Yes David, you can safetly remove that "login authentication cisco" from line con 0.

Regarding tacacs server have a look at:

http://www.shrubbery.net/tac_plus/

Regarding radius server i recommend freeradius for such testing.

(it has much fever capabilities then cisco ACS but it can allow you for easy testing of basic functions)

---

Michal

0 Helpful

Go to solution
Petr Stepanov
Level 1
Level 1

‎07-20-2021 01:46 PM

You can use this commands ;

aaa authentication login default local
aaa authorization exec default local

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents