1. Home
  2. Cisco Systems
  3. Need al little AAA authentication help....

Need al little AAA authentication help....

I am trying to get my switch to authenticate against the local database upon login with ssh. SSH, the local database, and AAA are all setup :

username lovejoy privilege 15 secret 5 xxxxxxx

aaa new-model aaa authentication login default local aaa authentication enable default enable

line vty 0 4 access-class 10 in exec-timeout 9 0 transport input ssh line vty 5 15 access-class 10 in exec-timeout 9 0 transport input ssh

When I attempt ssh to the switch, it only asks me for a password, and not a login and password. I did enter in

login authentication default

on the vty lines, and it appears to accept it, but in the sh ru, it is not there. If I were to try

login authentication local

it says that there is no database called local, because I didn't name the database. The switch is a 2960G running 12.2(50)SE1.

Any suggestions or am I just missing the point entirely?

TIA Lovejoy

Reply to
Lovejoy
Loading thread data ...

=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

Hello,

Consider reviewing the following information.

formatting link

Be aware that using authentication group "default" results in applying AAA authentication method to all lines including console

I think if you had "aaa authentication login default group local" this would refer to the local database or locally configured username commands. Are you missing "group" in this command. If your user is configured @ level 15 I am not sure the authentication for enable command is needed

Regards

Reply to
jrguent

Thanks for the response. I tried as you suggested, and I am still only challenged for a password. One thing was that the article you directed me to was biased toward an external aaa server. It would seem that most of the Cisco docs are concerned with external aaa servers. I guess creating and using a local aaa database must be trivial....until something goes wrong.

TIA Lovejoy

Reply to
Lovejoy

=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

Hello,

Yes, I missed it the first time. I have used "login authentication local" command on vty lines to enable logins via the local database without any aaa commands in my configuration.

Using a local aaa database is actually more work to maintain if you have a large network infrastructure, because you need to manage a local aaa database per network device. Also using auditing tools such as nipper on configurations, I have noticed that local aaa database account password encryption is trivial to reverse and obtain user account passwords. Although, I am not certain if that would apply to your case or not, as you have used the command "secret 5" as part of the user account credential configuration. With all of this said, it is still a good idea to have a "local database" fallback method for authentication if you were to decide to use a centralized authentication solution such as Radius server referencing an Active Directory Database, which can be setup using Windows IAS Radius server on a Domain Controller. In this way you are not locked out of your devices, if you lose network connectivity to the centralized server.

Regards

Reply to
jrguent

=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

I use:-

no aaa new-model username fred privilege 15 secret 5 $1$9yp...

line vty 0 4 privilege level 15 login local transport input telnet ssh transport output telnet ssh

Note that the use of the "secret" prevents the trivial decryption of the password.

Reply to
bod43

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.