cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3813
Views
10
Helpful
9
Replies

aaa authorization commands levels

raghavendran.r
Level 1
Level 1

i was replacing  faulty device and faced below issue.

 

before putting device into production configured via console

 

 

1 .configured :  enable secret 5 <string>

2.configured : username <> secret 5 <string>

 

3 .router#line console

router#login local 

 

then i configured aaa new model , after pasting all aaa command lines , i coundlt execute anything even show commands was not working...

 

some can help me to understand what went wrong .. i configured login local  for console before configuring aaa , is that could be a issue ?

1 Accepted Solution

Accepted Solutions

I do not understand your response about what string you used. But if you were able to log out and then log in again using that ID then it indicates that the string was correct.

 

I am not sure why you got locked out from executing any commands. My guess is that it has something to do with the group cisco parameter in your commands. Ordinarily I would think that the parameter if-authenticated would prevent the lock out. But for some reason it did not. When you got locked out did you try to logout and then log back in? Perhaps it needed a new authentication after the configuration was done.

 

Getting locked out is one of the things to be cautious about when configuring aaa. I have a few observations about that:

1) First is to not copy run start until you have thoroughly tested the config changes. As you demonstrated a simple reboot/power cycle is the easy way to recover from a problem if the changes have not been saved.

2) When configuring aaa I frequently use the capability to schedule a reload using the command reload in X (guess at how long it will take to make the changes and add  little margin). With the scheduled reload if your changes do lock you out then the scheduled reload will reboot and discard the changes. If the changes do not cause any problem then you simply cancel the scheduled reload.  This is especially useful if you are configuring a device that is not local.

3) I would suggest not turning on authorization for the console until your changes are made and tested. By default aaa authorization works on vty connections (telnet or SSH) but not on console. So you can make changes, then test them using telnet or SSH, and if there is a problem then the console session should still work and allow you to fix the problem without requiring a reload/reboot.

aaa authorization console

Once the authorization commands have been tested then you can enable authorization for the console.

 

HTH

 

Rick

HTH

Rick

View solution in original post

9 Replies 9

Seb Rupik
VIP Alumni
VIP Alumni

Hi there,

The aaa commands that you pasted in, was one of the aaa authorization default xxx?

If you changed that to anything but local, then you would have immediately affected the vty line you were logged in on.

I always have these in the aaa commands I paste in:

!
aaa authentication login default local
aaa authorization exec default local
aaa authorization commands 15 default local
!

cheers,

Seb.

 

Hi Rupik,

 

Thanks for responding

 

aaa authentication login default group  cisco local

aaa authentication enable default group cisco enable

aaa authorization console

aaa authorization config-commands

aaa authorization exec default group cisco if-authenticated

aaa authorization commands 0 default group cisco if-authenticated

aaa authorization commands 1 default group cisco if-authenticated

aaa authorization commands 15 default group cisco if-authenticated

aaa accounting update newinfo periodic 15

aaa accounting exec default start-stop group cisco

aaa accounting commands 15 default start-stop group cisco

aaa accounting system default start-stop group cisco

 

i was pasted above lines , and was into console... because   router  not in production

The original post emphasizes that login local was configured. Once you have entered aaa new-model then that over rides login local. If you are configuring aaa authentication to use local resources then it winds up with the same effect, but login local is no longer controlling the login process.

 

You indicate that you have done these

1 .configured :  enable secret 5 <string>

2.configured : username <> secret 5 <string>

was the string that you used the encrypted value of the password or was the string that you used the clear text password?

 

HTH

 

Rick

 

HTH

Rick

Hi ..



I have used string


I do not understand your response about what string you used. But if you were able to log out and then log in again using that ID then it indicates that the string was correct.

 

I am not sure why you got locked out from executing any commands. My guess is that it has something to do with the group cisco parameter in your commands. Ordinarily I would think that the parameter if-authenticated would prevent the lock out. But for some reason it did not. When you got locked out did you try to logout and then log back in? Perhaps it needed a new authentication after the configuration was done.

 

Getting locked out is one of the things to be cautious about when configuring aaa. I have a few observations about that:

1) First is to not copy run start until you have thoroughly tested the config changes. As you demonstrated a simple reboot/power cycle is the easy way to recover from a problem if the changes have not been saved.

2) When configuring aaa I frequently use the capability to schedule a reload using the command reload in X (guess at how long it will take to make the changes and add  little margin). With the scheduled reload if your changes do lock you out then the scheduled reload will reboot and discard the changes. If the changes do not cause any problem then you simply cancel the scheduled reload.  This is especially useful if you are configuring a device that is not local.

3) I would suggest not turning on authorization for the console until your changes are made and tested. By default aaa authorization works on vty connections (telnet or SSH) but not on console. So you can make changes, then test them using telnet or SSH, and if there is a problem then the console session should still work and allow you to fix the problem without requiring a reload/reboot.

aaa authorization console

Once the authorization commands have been tested then you can enable authorization for the console.

 

HTH

 

Rick

HTH

Rick

Hi Burt ,


Thank you very much for your time and detailed explanation.

its really useful ..I will follow up the same when ever I do aaa configuration for prod devices.

You are welcome. I am  glad that my explanations were helpful.  Thank you for marking this question as solved. This will help other readers in the forum to identify discussions which have helpful information.

 

I hope to see you continue to be active in the forum.

 

HTH

 

Rick

HTH

Rick

Hi Richard ,

as mentioned in original post ,I have configured login local to console line ... then I came out of device to check console access password and username , following that it was asking and I logged into device with that console seession I was configuring aaa , after some aaa config lines ,, device not excepting any command line then I restarted router , NOte : I didn't write anything to startup , I made easy to clean up the aaa

what is the correct way to apply aaa on device without locking out ourself.


Thanks in advance