03-27-2018 06:11 AM - edited 03-08-2019 02:24 PM
So I just want to be sure of the "line enable" at the end of this config. Is it really necessary?
aaa authentication login default group tacacs+ local line enable
Solved! Go to Solution.
03-27-2018 09:00 AM
The original post asks if specifying 4 authentication methods for authenticating login to the device is necessary. Reza says no it is not necessary. And in a sense that is correct. 4 methods are not necessary. In some sense all that is necessary is one authentication method. But what if that one method fails? Would we want to have a backup method? Most of us would agree that having a backup method is desirable, if not exactly necessary. Guillaume makes a good point that the configured command is valid and having 3 backup methods provides lots of insurance about failure of the primary method.
HTH
Rick
03-27-2018 06:21 AM
No, not really. With this config, tacacs will authenticate first and if tacacs is not available local authentication will be used.
HTH
03-27-2018 06:32 AM
Hello,
this is a list of authentication methods. the authentication process will go to the next method each time the method is not working
At each step the authentication can be rejected if the server rejects the user or bad username/password
Regards, Guillaume
03-27-2018 09:00 AM
The original post asks if specifying 4 authentication methods for authenticating login to the device is necessary. Reza says no it is not necessary. And in a sense that is correct. 4 methods are not necessary. In some sense all that is necessary is one authentication method. But what if that one method fails? Would we want to have a backup method? Most of us would agree that having a backup method is desirable, if not exactly necessary. Guillaume makes a good point that the configured command is valid and having 3 backup methods provides lots of insurance about failure of the primary method.
HTH
Rick
03-27-2018 12:50 PM
03-27-2018 01:23 PM
As long as tacacs+ is reachable, you can't use the local username and password.
So, say someone turn off the tacacs+ server. At that time since tacacs+ is not reachable. you log in using the local username and password.
HTH
03-27-2018 01:29 PM
03-27-2018 01:37 PM
03-28-2018 03:53 AM
Hello Richard,
I found a complex behavior of the local method:
if set like 'local group radius' even if the local database is populated, the authentication will use radius for unknown users, if the local database is not populated, it uses the next method: radius
if set like 'local enable' and the local database is not populated, the fallback to enable method is not used, and it's not the behavior i expect, because if i use aaa on my console line and if i remove all users from the local database, i will have to do a password recovery even if i did set the enable password and the enable method.
Then, on my switch, there is no point to set the enable method after the local one. (Or it's a bug on my IOS version)
Regards, Guillaume
03-28-2018 06:52 AM
The original poster asks this question
I have a local username and password, what is the point of adding a password under line vty or even line console as well?
My answer is that it depends on what is your opinion about insurance? My opinion is that insurance is to protect us when unexpected things happen. If you have radius and have the local user as backup that would protect you if radius is not working. If you are absolutely confident that the local user ID will always be available and will work then you need no further insurance. If you think that somehow there might be a circumstance where the local user ID is not there or does not work then it becomes desirable to have a further level of insurance.
Guillaume
You observe that "if set like 'local enable' and the local database is not populated, the fallback to enable method is not used ". I am surprised at that. I would expect that enable should work. I would hope that this might be an anomaly in a particular version of software rather than a general behavior.
HTH
Rick
03-28-2018 07:43 AM
I totally agree,
just to show a demo (Cisco C3560 - IOS15.0(2)SE9 reached EOL long time ago...) :
'local enable' and local database not populated
ACCESS1#show running-config | include ( TEST ) aaa authentication login TEST local enable aaa authorization exec TEST if-authenticated ACCESS1#show running-config | section vty line vty 0 4 exec-timeout 1440 0 authorization exec TEST login authentication TEST transport input telnet line vty 5 15 exec-timeout 1440 0 authorization exec TEST login authentication TEST transport input telnet ACCESS1# ACCESS1#show running-config | include username ACCESS1# ACCESS1#show running-config | include enable password enable password enpass ACCESS1#
DISTRIB1#telnet 10.2.0.3 Trying 10.2.0.3 ... Open User Access Verification Username: admin Password: % Authentication failed Username: admin Password: % Authentication failed Username: admin Password: % Authentication failed [Connection to 10.2.0.3 closed by foreign host] DISTRIB1#telnet 10.2.0.3 Trying 10.2.0.3 ... Open User Access Verification Username: Username: Username: [Connection to 10.2.0.3 closed by foreign host] DISTRIB1#
But if i reverse the method:
'enable local' + enable password not set + local database populated, the fallback method is used, and that's what i expected
ACCESS1(config)#aaa authentication login TEST enable local ACCESS1(config)#user ACCESS1(config)#username admin password admin ACCESS1(config)#no enable password
DISTRIB1#telnet 10.2.0.3 Trying 10.2.0.3 ... Open User Access Verification Username: admin Password: ACCESS1>
It would be great to know if this is still the same behavior on recent devices.
Regards, Guillaume
03-28-2018 07:52 AM
03-28-2018 08:27 AM
That is the behavior i expected but it fails on my switch,
The password your are asked for depends on the method list:
Regards, Guillaume
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide