cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
904
Views
0
Helpful
10
Replies

After entering aaa new-model, Unable to console in

Iloveyou
Level 1
Level 1

Can cisco do something so that even after aaa new-model is entered we can still console in.

Console is last line of defence and should not need authentication.

What can we do to prevent ourselves from being locked out of console?

10 Replies 10

@Iloveyou what is the command set you used to configure AAA

Please rate this and mark as solution/answer, if this resolved your issue
Good luck
KB

M02@rt37
VIP
VIP

Hello @Iloveyou 

For the con0 you should create a separate authentication profile :

aaa authentication login console local

line con 0

login authentication console

 

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

Hello,

as far as I recall, 'login local' needs to be configured on the console line. If you do not have that, and you add 'aaa new-model' all lines are locked and jyou need:

enable
configure terminal
username <username> privilege 15 secret <password>
aaa authentication login default local
line console 0
login authentication default

what does login authentication default mean?

How do I know what is default?

Is "console" a variable we declare by ourselves?

@Iloveyou 

"console" is not a variable that you declare yourself. It is a reserved keyword used to refer to the physical console port of your cisco device.

When you configure settings related to the console port, such as authentication or line parameters, you use the keyword "console" to specify that you are configuring the characteristics of the console port

"login authentication default" sets the default method list for user. It specifies the authentication methods that are used when a user tries to access a device.

When aaa model is configured, authentication login command with the local method keyword to specify that the cisco device will use the local username database for authentication. 

http://stevehardie.com/2015/07/cisco-configure-login-using-username-and-password/

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

So what is the default method list for user?

Shanza
Level 1
Level 1

Enable "login local" for emergencies. Remember, with great power comes great responsibility!

Backup Account: Create a secret admin account with local access, just for rainy days. Keep it safe!

Console Server: Get an out-of-band buddy, a dedicated server that lets you in no matter what.

Disable aaa risky: Only if everything else fails, consider this temporary measure. But remember, great power, great responsibility!

Secure AAA: Make your AAA server strong and reliable. Redundancy and disaster planning are your friends.

What if i dont want to set any login for console at all?

Hello @Iloveyou 

No auth on con0 ? It is not recommended.

Command no login under line con0.

 

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.
Review Cisco Networking for a $25 gift card