Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
1199
Views
20
Helpful
12
Replies

AAA Config

Go to solution
CiscoBrownBelt
Level 6
Level 6

‎03-27-2018 06:11 AM - edited ‎03-08-2019 02:24 PM

So I just want to be sure of the "line enable" at the end of this config. Is it really necessary?

 

aaa authentication login default group tacacs+ local line enable

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to gs.skills

‎03-27-2018 09:00 AM

The original post asks if specifying 4 authentication methods for authenticating login to the device is necessary. Reza says no it is not necessary. And in a sense that is correct. 4 methods are not necessary. In some sense all that is necessary is one authentication method. But what if that one method fails? Would we want to have a backup method? Most of us would agree that having a backup method is desirable, if not exactly necessary. Guillaume makes a good point that the configured command is valid and having 3 backup methods provides lots of insurance about failure of the primary method.

 

HTH

 

Rick

HTH

Rick

View solution in original post

12 Replies 12

Go to solution
Reza Sharifi
Hall of Fame
Hall of Fame

‎03-27-2018 06:21 AM

No, not really. With this config, tacacs will authenticate first and if tacacs is not available local authentication will be used.

HTH

Go to solution
gs.skills
Level 1
Level 1

‎03-27-2018 06:32 AM

Hello,

this is a list of authentication methods. the authentication process will go to the next method each time the method is not working

  1. tacacs: tacacs server not responding -> try local
  2. local: no local database configured (username/password) -> try line
  3. line: no line password configured -> try enable
  4. enable: no enable password configured -> then authentication fails

At each step the authentication can be rejected if the server rejects the user or bad username/password

 

Regards, Guillaume

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to gs.skills

‎03-27-2018 09:00 AM

The original post asks if specifying 4 authentication methods for authenticating login to the device is necessary. Reza says no it is not necessary. And in a sense that is correct. 4 methods are not necessary. In some sense all that is necessary is one authentication method. But what if that one method fails? Would we want to have a backup method? Most of us would agree that having a backup method is desirable, if not exactly necessary. Guillaume makes a good point that the configured command is valid and having 3 backup methods provides lots of insurance about failure of the primary method.

 

HTH

 

Rick

HTH

Rick

Go to solution
CiscoBrownBelt
Level 6
Level 6
In response to Richard Burts

‎03-27-2018 12:50 PM

Ok so if there is tacacs+, a local user account (username netadmin xxxx priv 15 secret xxx), and password under line vty 0 15 let's say, when would you have to enter the password that is under line vty instead of using the creds for netadmin (it is always on the device) if tacacs server goes down or something? Are you able to simply enter the password under the line vty instead of the local user account password if let's say you can't remember that one or something?
0 Helpful

Go to solution
Reza Sharifi
Hall of Fame
Hall of Fame
In response to CiscoBrownBelt

‎03-27-2018 01:23 PM

As long as tacacs+ is reachable, you can't use the local username and password.

So, say someone turn off the tacacs+ server. At that time since tacacs+ is not reachable. you log in using the local username and password.

HTH 

 

0 Helpful

Go to solution
CiscoBrownBelt
Level 6
Level 6
In response to Reza Sharifi

‎03-27-2018 01:29 PM

Yes I know, but if I have a local username and password, what is the point of adding a password under line vty or even line console as well?

Also, I am testing - local account then using enable secret password works fine to access device via line console, but the same user account creds won't work to access the device via VTY - password after entering same username does not work.
Here is my config:

aaa authentication login default group tacacs+ local line enable
aaa authentication enable default group tacacs+ enable
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
0 Helpful

Go to solution
CiscoBrownBelt
Level 6
Level 6
In response to CiscoBrownBelt

‎03-27-2018 01:37 PM

Disregard it does work.
I have a local username and password, what is the point of adding a password under line vty or even line console as well?
0 Helpful

Go to solution
gs.skills
Level 1
Level 1
In response to Richard Burts

‎03-28-2018 03:53 AM

Hello Richard,

I found a complex behavior of the local method:

if set like 'local group radius' even if the local database is populated, the authentication will use radius for unknown users, if the local database is not populated, it uses the next method: radius

 

if set like 'local enable' and the local database is not populated, the fallback to enable method is not used, and it's not the behavior i expect, because if i use aaa on my console line and if i remove all users from the local database, i will have to do a password recovery even if i did set the enable password and the enable method.

 

Then, on my switch, there is no point to set the enable method after the local one. (Or it's a bug on my IOS version)

 

Regards, Guillaume

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to gs.skills

‎03-28-2018 06:52 AM

The original poster asks this question

I have a local username and password, what is the point of adding a password under line vty or even line console as well?

My answer is that it depends on what is your opinion about insurance? My opinion is that insurance is to protect us when unexpected things happen. If you have radius and have the local user as backup that would protect you if radius is not working. If you are absolutely confident that the local user ID will always be available and will work then you need no further insurance. If you think that somehow there might be a circumstance where the local user ID is not there or does not work then it becomes desirable to have a further level of insurance.

 

Guillaume

You observe that "if set like 'local enable' and the local database is not populated, the fallback to enable method is not used ". I am surprised at that. I would expect that enable should work. I would hope that this might be an anomaly in a particular version of software rather than a general behavior.

 

HTH

 

Rick

HTH

Rick

Go to solution
gs.skills
Level 1
Level 1
In response to Richard Burts

‎03-28-2018 07:43 AM

I totally agree,

just to show a demo (Cisco C3560 - IOS15.0(2)SE9 reached EOL long time ago...) :

'local enable' and local database not populated

ACCESS1#show running-config | include ( TEST )
aaa authentication login TEST local enable
aaa authorization exec TEST if-authenticated 
ACCESS1#show running-config | section vty     
line vty 0 4
 exec-timeout 1440 0
 authorization exec TEST
 login authentication TEST
 transport input telnet
line vty 5 15
 exec-timeout 1440 0
 authorization exec TEST
 login authentication TEST
 transport input telnet
ACCESS1#

ACCESS1#show running-config | include username
ACCESS1#

ACCESS1#show running-config | include enable password
enable password enpass
ACCESS1#
DISTRIB1#telnet 10.2.0.3
Trying 10.2.0.3 ... Open

User Access Verification

Username: admin
Password: 

% Authentication failed

Username: admin
Password: 

% Authentication failed

Username: admin
Password: 

% Authentication failed

[Connection to 10.2.0.3 closed by foreign host]
DISTRIB1#telnet 10.2.0.3
Trying 10.2.0.3 ... Open


User Access Verification

Username: 
Username: 
Username: 

[Connection to 10.2.0.3 closed by foreign host]
DISTRIB1#

But if i reverse the method:

'enable local' + enable password not set + local database populated, the fallback method is used, and that's what i expected

ACCESS1(config)#aaa authentication login TEST enable local
ACCESS1(config)#user
ACCESS1(config)#username admin password admin
ACCESS1(config)#no enable password
DISTRIB1#telnet 10.2.0.3
Trying 10.2.0.3 ... Open

User Access Verification

Username: admin
Password: 

ACCESS1>

It would be great to know if this is still the same behavior on recent devices.

Regards, Guillaume

0 Helpful

Go to solution
CiscoBrownBelt
Level 6
Level 6
In response to Richard Burts

‎03-28-2018 07:52 AM

Ok correct me if I am wrong, but if there is a local user account configured, you are prompted to enter a username then password. If there is none, then you only have the option to enter password when trying to access the device and that password would be what is configured under the lines?
0 Helpful

Go to solution
gs.skills
Level 1
Level 1
In response to CiscoBrownBelt

‎03-28-2018 08:27 AM

That is the behavior i expected but it fails on my switch,

 

The password your are asked for depends on the method list:

  • 'line' = password configured under the line configuration with 'password ...' command
  • 'enable' = password configured with 'enable password ...' or 'enable secret ...' command

Regards, Guillaume

0 Helpful
Customers Also Viewed These Support Documents
Top