cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3279
Views
0
Helpful
13
Replies

Configure Local User-Specific Password

towerclear
Level 1
Level 1

I have a Cisco 3825 running IOS c3825-advsecurityk9-mz.124-22.YB5.bin

I'm trying to use the 'login local' command for the usernames I have created on the router for the aux, con and vty lines.

But when I try to configure the line, the command login is available to me.  But 'local' is not an available option.

Can anyone tell me if I should or shouldn't have available to me.

Thanks

Roger

13 Replies 13

vragotha
Level 3
Level 3

Are you using AAA?

It won't let you configure login local on the vty line

yes AAA is in my configuration.

can the same also be said, in addition to the vty line, the con 0, aux, etc lines as well, that login local is not available?

so both AAA and login local cannot be used at the same time?

You will need to specify the command through AAA.

Have you tried

aaa authentication login default local

Vijay,

I have read documentation from Cisco and from google searches regarding the addition of your proposed command.  I have not tried it yet.

Currently the aaa section of my config for my router has this:

aaa new-model

aaa local authentication attempts max-fail 3

!

!

aaa authentication login default group tacacs+ local enable

aaa authentication login Jay none

aaa authentication login towerclear none

aaa authentication enable default group tacacs+ enable

aaa authorization console

aaa authorization exec local_author none

aaa authorization network default none

!

!

aaa session-id common

Unfortunaely my knowledge of aaa is limited and I'm having a hard time getting a grasp of it.  I know for sure that my router does not use any tacacs+ or radius but those command were put it for some reason.  I know that the only access is by the usernames and password I have created on to router device itself.

So will adding "aaa authentication login default local" have any impact on the other aaa authentication listed in my config?  i think the answer is no if i recall correctly from the reading i've done.

Thanks

Roger

Roger,

If you are not using TACACS, you can remove all the AAA commands and use login local under the vty lines

If you want to keep the commands, go ahead and use 'aaa authentication login default local'

Vijay,

Technically I'm not using TACACS but I think I want to keep that line there.

If I add 'aaa authentication login defualt local' what will that do?  does it affect all the lines, e.g. con 0, aux, vty, tty?  Or do I configure them individually?  I have to make sure the tty isn't effected.  I have a modem card installed into my routers for outside sites to dial into to transmit data.

thanks

roger

Roger,

'aaa authentication login default local', and a local username

and password configured will apply to all access to the device. You

don't need to configure anything on the lines individually

Vijay,

Based on your last response, will that effect the tty lines that recieve connections requiring a login and password?

Thanks

Roger

It should affect the tty as well.

Vijay,

Thanks,  that's what I was afraid of.  Then I cannot put it in.

Roger

I'd simply backup the AAA configurations and remove them for now. Use them later if you need.

Vijay,

The whole reason for the post was for a vulnerability for the local login.  The remediation simple states that I need to enter this command for the line(s) con 0, vty, etc:

hostname(config-line)# password LINE_PASSWORD

When I do "password ?" at the prompt the options are:

0, unencrypted

7, hidden

LINE, unencrypted

is there something I'm missing where the password can be encrypted?

thanks

Roger

If we can get a clear understanding of what your requirements are I believe that there are options for configuration that can accomplish them. If you want your vty and console to authenticate differently from what the tty uses for authentication this is quite possible (and I have done it for a customer). You configure one (perhaps tty) to use the default authentication method, and then you configure a different authentication method and configure vty and console to use that method.

Yes there is an option to get the passwords for vty and console to be encrypted. Use service password-encryption (in global configuration mode) and the passwords will be encrypted.

HTH

Rick

HTH

Rick