Solved: AAA and vty questions

dbuckley77 · ‎05-18-2015

Can someone please explain what each of the following commands does?

aaa new-model
aaa authentication login default group radius local
aaa authentication login CONSOLE local
aaa authorization exec default if-authenticated

Also what relation does the commands below have to the commands above with regard to the console access? I have seen the line console command using local credentials when configured above with the commands below and also when configured above with the commands below minus the "login authentication console" command. What does that line do?

line con 0
login authentication CONSOLE

One more thing.

Is there any reason a switch/router would have an entry for line vty 0 4 and also a separate entry for line vty 5 15?

Thanks

David Johan Castro Fernandez · ‎05-18-2015

Hi,

Let me explain you, each line:

- aaa new-model --> Basically it enables AAA on the router(Authentication, Authorization and Accounting)

- aaa authentication login default group radius local - This is the default Authentication line, which it does not need to be applied, it works by default, it uses Radius as the AAA server if this fails it will fa;ll back to the Local database.

- aaa authentication login CONSOLE local - This is the line applied for console access to the device, it will use the local database, it needs to be applied to function

- aaa authorization exec default if-authenticated - This line is for authorization purposes which is applied as the default one.

-line con 0
login authentication CONSOLE

This means that the AAA line called "CONSOLE" will be applied to this router if you want to access it through console cable, and it will use Local database.

The router separates the Line VTY so you can assign different type of AAA lines for authentication, authorization and Accounting also define if you want to use SSH or telnet, also can be seen as a security measure.

Hope this helps!

Please proceed to rate and mark as correct the helpful Post!

David Castro,

Regards

View solution in original post

David Johan Castro Fernandez · ‎05-18-2015

Indeed, it will use Local authentication as default, therefore if you see:

line con 0

or:

line con 0
login authentication CONSOLE

It will do the same in both situations.

Hope this helps!

Please proceed to rate and mark as correct the helpful Post!

David Castro,

Regards

View solution in original post

David Johan Castro Fernandez · ‎05-18-2015

Hi,

Let me explain you, each line:

- aaa new-model --> Basically it enables AAA on the router(Authentication, Authorization and Accounting)

- aaa authentication login default group radius local - This is the default Authentication line, which it does not need to be applied, it works by default, it uses Radius as the AAA server if this fails it will fa;ll back to the Local database.

- aaa authentication login CONSOLE local - This is the line applied for console access to the device, it will use the local database, it needs to be applied to function

- aaa authorization exec default if-authenticated - This line is for authorization purposes which is applied as the default one.

-line con 0
login authentication CONSOLE

This means that the AAA line called "CONSOLE" will be applied to this router if you want to access it through console cable, and it will use Local database.

The router separates the Line VTY so you can assign different type of AAA lines for authentication, authorization and Accounting also define if you want to use SSH or telnet, also can be seen as a security measure.

Hope this helps!

Please proceed to rate and mark as correct the helpful Post!

David Castro,

Regards

dbuckley77 · ‎05-18-2015

Thanks David. That helps very much.

One more question though.

I have seen the console configured at the end of the config as both:

line con 0

and:

line con 0
login authentication CONSOLE

line con 0

login authentication Console

So what would be the difference between these two? It's been my experience that both configs allow me to login via console using the local credentials.

David Johan Castro Fernandez · ‎05-18-2015

Indeed, it will use Local authentication as default, therefore if you see:

line con 0

or:

line con 0
login authentication CONSOLE

It will do the same in both situations.

Hope this helps!

Please proceed to rate and mark as correct the helpful Post!

David Castro,

Regards

dbuckley77 · ‎05-18-2015

Yes. Thanks for the help