AAA and avoiding affecting "vty and console login"

MarlonMarlon
in CCIE Routing & Switching Technical

Imagine my wonderful boss tells me:

"Configure PPP CHAP/AAA authentication on all routers in the enterprise WAN links."

However,note this special requirement: "PAY ATTENTION THAT YOU CANNOT LET AAA AFFECT VTY AND CONSOLE LOGIN on those critical routers"!!!!

Question:

Should I configure:

aaa new-model

aaa authentication login default line
aaa authentication ppp CRITICALR1 group radius local-case
aaa authentication ppp CRITICALR2 group radius local-case

 

Should I include "aaa authentication login default line" or not?
 

· Share on FacebookShare on Twitter

Comments

  • Brian McGahanBrian McGahan mod

    It depends on what the current configuration of the console and vty is; what authentication are they using currently?

     

    Brian McGahan, CCIE #8593 (R&S/SP/Security)

    [email protected]

     

    Internetwork Expert, Inc.

    http://www.INE.com

     

    From: [email protected] [mailto:[email protected]] On Behalf Of Marlon
    Sent: Wednesday, November 09, 2011 9:46 PM
    To: Brian McGahan
    Subject: [CCIE R&S] AAA and avoiding affecting "vty and console login"

     

    Let's my boss tells me:

    "Configure PPP CHAP on all routers in the enterprise."

    However,note this special requirement: "PAY ATTENTION THAT YOU CANNOT LET AAA AFFECT VTY AND CONSOLE LOGIN on those critical routers"!!!!

    Question:

    Should I configure:

    aaa new-model

    aaa authentication login default line
    aaa authentication ppp R1 group radius local-case
    aaa authentication ppp R2 group radius local-case

     

    Should I include "aaa authentication login default line" or not?
     




    INE - The Industry Leader in CCIE Preparation
    http://www.INE.com

    Subscription information may be found at:
    http://www.ieoc.com/forums/ForumSubscriptions.aspx

    · Share on FacebookShare on Twitter
  • markus.wirthmarkus.wirth

    What is meant by "affect" the lines? That you cant login?

    Is there "login" and "password xyz" configured?

    When there is only those 2 commands on the line and you enter "aaa new-model" then you absolutely need a username for the login. If you did not configure one and your cli session is closed you are excluded from the router and need to reboot or do password recovery.

     

    · Share on FacebookShare on Twitter
  • cristian.mateicristian.matei

    Hi,

       So, to not affect the lines, it means to keep the authentication method used previously on VTY/console, before AAA is configured. If you had username/password base config, this is the default once you enable AAA anyways(it asks user/pass); if you had line password authentication, use "aaa authentication login default line".

    Good luck with your studies!

    · Share on FacebookShare on Twitter
  • MarlonMarlon

    Under vty and console, assume is default; no configuration at the moment.

    In my experiment, if I do:

    aaa new-model

    aaa authentication login default line

    Then I will be prompted to enter login credentials for VTY and CONSOLE.

    Man, this is confusing... because I have two triple CCIEs friends debating different views as on this:

    If it means "DO NOT AFFECT VTY AND CONSOLE" to me it seems I SHOULD NOT enter "aaa authentication login default line". Because if I type this sucker in, it means then I will affected VTY and CONSOLE by now having to setup username and password under VTY and CONSOLE ,right?

    So it really seems to me I should not enter "aaa authentication login default line". But then I have other people thinking I should enter aaa authentication login default line. Let me now guys. I know if I get this right my boss will give me a nice review in December.

    · Share on FacebookShare on Twitter
  • Brian McGahanBrian McGahan mod

    Then say aaa authentication login default none.  That means it won’t ask for any authentication.

     

    Brian McGahan, CCIE #8593 (R&S/SP/Security)

    [email protected]

     

    Internetwork Expert, Inc.

    http://www.INE.com

     

    From: [email protected] [mailto:[email protected]] On Behalf Of Marlon
    Sent: Thursday, November 10, 2011 3:58 PM
    To: Brian McGahan
    Subject: Re: [CCIE R&S] RE: AAA and avoiding affecting "vty and console login"

     

    Under vty and console, assume is default; no configuration at the moment.

    In my experiment, if I do:

    aaa new-model

    aaa authentication login default line

    Then I will be prompted to enter login credentials for VTY and CONSOLE.

    Man, this is confusing... because I have two triple CCIEs friends debating different views as on this:

    If it means "DO NOT AFFECT VTY AND CONSOLE" to me it seems I SHOULD NOT enter "aaa authentication login default line". Because if I type this sucker in, it means then I will affected VTY and CONSOLE by now having to setup username and password under VTY and CONSOLE ,right?

    So it really seems to me I should not enter "aaa authentication login default line". But then I have other people thinking I should enter aaa authentication login default line. Let me now guys. I know if I get this right my boss will give me a nice review in December.




    INE - The Industry Leader in CCIE Preparation
    http://www.INE.com

    Subscription information may be found at:
    http://www.ieoc.com/forums/ForumSubscriptions.aspx

    · Share on FacebookShare on Twitter
  • cristian.mateicristian.matei

    Hi,

       So, defaults are: console asks or no authentication (no login mode), while VTY lines ask for authentication, but nothing is configured by default, so you will NOT be able to actually telnet/ssh into the router/switch. What you can do is: aaa authentication login default none; at this moment you can use the console with no authentication, and also telnet/ssh with no authentication.

    Good luck with your studies!

    · Share on FacebookShare on Twitter
Sign In or Register to comment.