Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
944
Views
0
Helpful
6
Replies

Cisco 2911 Router Guest Login

paul.martin@zf.com
Level 1
Level 1

‎10-08-2012 08:11 AM - edited ‎03-07-2019 09:20 AM

I am planning on having a contractor in to configure some new routers and would like for him to login using the local account on the routers while company personal continues to use radius is this possible.                  

Labels:
0 Helpful
6 Replies 6

aspindler34
Level 1
Level 1

‎10-08-2012 09:48 AM

you could configure local credentials for console login. I recently did something similar to this, you could add something similar to this into your AAA and tacacs commands.

conf t

username GUESTCONTRACTER password IAMACONTRACTOR

aaa authentication login CONTRACTOR local !-creates a group named "CONTRACTOR" for local login

line con 0

login authentication CONTRACTOR. !-sets the authentication of the console to users in the group "CONTRACTOR"

I assumed that these were new routers. and the contractor would have console access.

0 Helpful

cadet alain
VIP Alumni
VIP Alumni

‎10-08-2012 10:23 AM

Hi,

as far as I know this is not possible to have one person use the local database and the others using radius because

there can only be one authentication login method linked to a terminal and the fallback method is only used when radius is not responding.It could be possible to apply different authentication methods to vty lines but his is not possible for the console.

Regards.

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to cadet alain

‎10-08-2012 11:26 AM

Paul

I can think of three alternatives which might achieve what you are looking for.

1) assuming that you currently have something configured that looks a bit like this

aaa authentication login default group radius line

I would suggest that you configure a user name and password for the contractor on the router and then change your aaa to do something like this

aaa authentication login default local group radius line

With this change, the the router would first attempt to authenticate with the local database (and would allow the contractor) but if the name entered was not found in the local database then the router would attempt to authenticate via radius and would authenticate your staff.

2) you might be able to set aside one of your vty lines for the contractor to use and configure a special named authentication method for it which would authenticate using the local database. The easy way to set aside a vty line is to ensure that your staff uses only one of the access protocols (SSH and telnet) and that the contractor uses the other access protocol. So if your staff is using SSH then you specify that vty 0 3 usee only SSH and vty 4 uses both SSH and telnet.

3) you could allocate console access for use by the contractor. You could then configure a named authentication method that authenticates using the local data base and configure that authentication method on the console.

HTH

Rick

HTH

Rick
0 Helpful

cadet alain
VIP Alumni
VIP Alumni
In response to Richard Burts

‎10-08-2012 11:41 AM

Hi Richard,

I didn't even think about option 1, I had never thought about using local database before radius.

Good info I learned there.

I had thought about option 2 only and  i discarded option 3 because I thought the OP wanted still radius access for others

and didn't know about option 1.

Thanks for all your great knowledge.

Regards.

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to cadet alain

‎10-08-2012 11:57 AM

Alain

Thanks for the compliment

Yes it is an interesting question. It reminds me a bit of some of the stuff I went through while preparing for the CCIE and it caused me to try to think of ways to separate the authentication function so that some would use radius while the contractor used a local user name. Option 2 is interesting in that it allows both the staff and the contractor to access freely without preventing anybody's access. Option 3 also works. But it does mean that during the period when the contractor is allowed that staff are prevented from console access. They would still have access and authenticate via radius but would need to use the vty ports and not the console. If I were the manager there I might not like this alternative very much. And Option 1 is especially nice since it allows both staff and contractor to access via both console and vty with each authenticating in the desired method.

HTH

Rick

HTH

Rick
0 Helpful

paul.martin@zf.com
Level 1
Level 1

‎10-09-2012 03:10 AM

Thanks everyone for your input this is what seems to work

aaa authentication login default local group RadiusServers

aaa authentication enable default enable

aaa authentication ppp default local

aaa authorization console

aaa authorization exec default local group RadiusServers if- authenticated

aaa authorization network default if-authenticated

0 Helpful
Customers Also Viewed These Support Documents