7.1 & 7.2 - AAA

Hi,

I am just wondering if lines:

aaa authentication exec default if-authenticated

aaa authentication login NO_AUTH none

line con 0

 login authentication NO_AUTH

in task 7.1 are really needed.

authentication exec is not needed because we have "privilege level 15" on line con 0 in initial configs,

NO_AUTH does nothing - with/without this command on my router I have instead priv15 access on console line.

Also I think that in task 7.2 command "aaa authentication login default local" is not needed. It breaks console authentication (task states that only telnet users should be affected) and it should be replaced by "no aaa authentication login default line" - to just remove authentication scheme needed by 7.1 (tasks are dependent). Also nobody said that we can create additional user on this.

In my configuration:

Rack1R6#sh run | i aaa
aaa new-model
aaa authentication attempts login 1
aaa authentication fail-message ^CAuthentication failed. Username or password was Incorrect.^C
aaa authentication password-prompt "Passcode: "
aaa authentication username-prompt "Login Name:"

I can log in/out console without any credentials:

Rack1R6#exit
Rack1R6 con0 is now available
Press RETURN to get started.
Rack1R6#

Rack1R6#

Rack1R6#

and when I use telnet everything is as it should be:

Rack1R5#150.1.6.6
Trying 150.1.6.6 ... Open


User Access Verification

Login Name:aaa
Passcode:
Authentication failed. Username or password was Incorrect.
[Connection to 150.1.6.6 closed by foreign host]
Rack1R5#

Is that okay or I miss something important?

 

Comments

  • I did almost the same thing.

  • jdr - Agreed. My config was the same as yours.

  • aaa authentication login default line is important because we don't have any user accounts created in local database so we must use line password as methodology of pass or fail.  I guess you wouldn't need it if you were permitted to create an account.  Anyways, here was my syntax . . .

     

    aaa new-model
    aaa authentication attempts login 1
    aaa authentication login default line
    aaa authentication fail-message ^
    Authentication Failed. Username or Password was Incorrect
    ^
    !

    This seems to satisfy the requirements. 

     

    Cheers

    Matt

  • I did the same thing.

     

    While it meets the task requirements individually, it does break the ability to telnet into the device succesfully without the additional aaa config.

    This probably fact probably makes it wrong.

Sign In or Register to comment.