cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
29157
Views
20
Helpful
5
Replies
Highlighted
Beginner

How to define Login Local for Console 0?

hi friends
i config below commands to configure AAA authenticate with Microsoft Active Directory 2008(CIsco Device Integrate with AD microsoft for telnet and ssh and both can login to console by AD and local username)
but while i unplugged Cisco Devices(Router and switches)from Network
i can't login to console
it's better to say i don't know how to login into cosole line whenever i don't connect to AD for Authenticate

aaa new-model
aaa group server radius ABCD
server-private 10.10.10.10 auth-port 1645 acc-port 1646 key KEYPASS (where 10.10.10.10 is AD ip adn KEYPASS is my shared key)

aaa authentication login default group ABCD
aaa authorization exec default group ABCD

!
line vty 0 4
login authentication default
transport input telnet ssh

!
line console 0
????????????????
i only type it----> login authentication default


so i want any times that i don't connect to My AD or Network and physically access To Switches Or Router
i connect Console Port and without Looking Up To Active Directory Users i can Log into Console




so could you please help me which command shoud I type to do that ?

thanks a lot

5 REPLIES 5
Highlighted
Enthusiast

Hi,

For console you need to create a separate authentication profile or modify existing one.

aaa authentication login default group ABCD local 

(OR)

aaa authentication login console local

line con 0

login authentication console

Thanks & Best regards

Highlighted

lots of thanks dear

sorry i have only 2 other questions pleas answer me

1-if i create separate authentication as YOU said above can i connect to console

both when Network cable is plugin and when ever i have physical access to it without any Network(i mean Switche No connect to Network or my Active Directory for authenticate)

???????

-------------------------

2-what is the meaning of %backup authentication

 how i should solve it?

when ever i telnet to this Switch(that i explained for you)from anywhere By CMD windows

i face to this error %backup Authentication 

unfortunately i have multiple line vty  

i do below task for all:

e.g :line vty 0 3

no login

no transport input

-----

line vty 4

no login

no tran input

--------

and just type:

line vty 0 4 AND line vty 5 15

login authentication default

transport input telnet 

but again i have that problem

what should i do

really thanks <3

:)

Highlighted

Hi;

Please find below answer of your queries:

 

  1. If you create separate profile for console like I mentioned in email, then in all means whether your switch is on network or out of network the console access is always use local password.

aaa authentication login console local

line con 0

 login authentication console

 

  1. You should always use as a Backup authentication server, in case of failure of AD/Tacacs the user will be authenticate with Backup authentication Server (either its local, enable & etc).

For e.g: aaa authentication login default group ABCD local

Where ABCD is your AD Server (Primary Authentication Server)

While local is your Backup Authentication Server.

 

Due to you using default profile which is automatically applied on the switch lines (vty/con/aux ports).

 

It’s always recommended to use separate profile (console authentication to local & AD/Tacacs authentication for telnet/SSH) instead of using default profile.

Normally companies using Telnet/SSH for switch management/any configuration change. Console will only use in case of some troubleshooting (i.e hardware failure, switch is out of network authentication or you can’t manage switch remotely etc) if you put authentication as follows:

AD/Tacacs only - then you can’t access the switch.

Primary AD/ Tacacs & Secondary local – Switch first try to authenticate first AD/Tacacs & in case of failure it will authenticate locally.

And if you also using authorization at same time then users each command need to be authorize from AD/Tacacs & then local and as result in case of failure you feel slowness and took lot of time.

 

Thanks & Best regards;

Highlighted

WooooooW

lots of thanks engineer really best info for me and surely for other

best regard

thanks a lot

Highlighted
VIP Mentor

Hello

If you using the deafut aaa group for authentication/authorization then as stated this will apply to you console login also.

However this can be negated entirely if need be EVEN when your AD is available and changed to either having no access or use the local user database or even a special keyboard character (ios ver applicable)

No access creds required even when AD server available
aaa authentication login NOAUTH none
aaa authorization exec NOAUTH none
aaa authorization console

line console 0
privilege level 15
login authentication NOAUTH 
authorization exec NOAUTH


Local access creds required even when AD server available
aaa authentication login L_AUTH local
aaa authorization exec L_AUTH local if-authenticated
aaa authorization console


username stan privilege 15 secret stan
line console 0
login authentication L_AUTH
authorization exec L_AUTH



Local access
  via a keyboard character "@"

aaa authentication login NOAUTH none
aaa authorization exec NOAUTH none
aaa authorization console

line console 0
privilege level 15
authorization exec NOAUTH
login authentication NOAUTH
activation-character 64

res
Paul



kind regards
Paul

Please rate and mark posts accordingly if you have found any of the information provided useful.
It will hopefully assist others with similar issues in the future
Content for Community-Ad