Solved: Re: Question about AAA in Ensari OCG

hfakoor222 · ‎07-23-2023

There's a question in the study guide:

Your router is configured as follows:
R1# show run | i aaa|username
aaa new-model
username ENARSI password 0 EXAM
R1# show run | s vty
line vty 0 4

password cisco
transport input all
R1#

Based on the configuration, what will occur when someone uses Telnet to reach the router?
a. Authentication will fail because there is no AAA method list.
b. The user will be required to use the line password cisco.
c. The user will be required to use the username ENARSI with the password EXAM.
d. The user will be granted access either with the username ENARSI with the password EXAM or with the line password cisco.

I answered b.

The answer key points to c. I am confused as I do not see anything in line vty 0 4 which points to AAA authentication. Is this applied by default when aaa new-model is enabled?

MHM Cisco World · ‎07-24-2023

I add aaa new-model and also password under line vty
when I access to R1 I use username/password not password add under vty line

from cisco doc.

All users are authenticated with the Radius server (the first method). If the Radius server does not respond, then the router local database is used (the second method). For local authentication, define the username name and password:

Router(config)#username xxx password yyy

Because the list default in the aaa authentication login command is used, login authentication is automatically applied for all login connections (such as tty, vty, console and aux).

Configure Basic AAA on an Access Server - Cisco

so at end
it correct VTY will use line password
username ENARSI password 0 EXAM <<- this called line password

View solution in original post

Flavio Miranda · ‎07-23-2023

Hi @hfakoor222

That correct.

"

Conclusion

When you remove "AAA new-model", the default method will be "login" under line and not “login local”. This behavior is seen on all Cisco IOS versions."

https://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/authentication-authorization-accounting-aaa/200173-Verify-AAA-behaviour-when-login-local.html

MHM Cisco World · ‎07-23-2023

I will check by lab.

MHM Cisco World · ‎07-24-2023

I add aaa new-model and also password under line vty
when I access to R1 I use username/password not password add under vty line

from cisco doc.

All users are authenticated with the Radius server (the first method). If the Radius server does not respond, then the router local database is used (the second method). For local authentication, define the username name and password:

Router(config)#username xxx password yyy

Because the list default in the aaa authentication login command is used, login authentication is automatically applied for all login connections (such as tty, vty, console and aux).

Configure Basic AAA on an Access Server - Cisco

so at end
it correct VTY will use line password
username ENARSI password 0 EXAM <<- this called line password

M02@rt37 · ‎07-23-2023

Hello @hfakoor222,

Correct!

The 'aaa new-model' command just activates aaa on your router and nothing more.

Because aaa is activated, the 'login local' command is no more available on lines (vty/con0).

Because you don't have no more configuration on aaa, default behavior is to use local account, even if you have password cisco configured on lines.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

hfakoor222 · ‎07-24-2023

under line vty 0 4

I had to define

login authentication default

login authentication method1

where I defined method1 as

default local

and so it made local password checking available on vty 0 4 as well as aaa checking

line vty 0 4

login authentication default

login authentication method1

of couse I could've defined both aaa and local under the same method and apply it to the line