From: Scott Morris (swm@emanon.com)
Date: Wed May 18 2005 - 09:38:16 GMT-3
In order for the AAA process to move from one method to another (local to
enable), you have to have a FAILURE of the first method.
IMHO, there is no way to have a FAILURE of local authentication. You will
get a Yes or No response all the time, regardless of whether you have the
usernames configured! With TACACS and RADIUS, you can get no response
(server down?) that will generate a FAILURE of the method.
So my guess would be that you first method listed (local) will always give a
yes or no response no matter what you enter, therefore it would never go to
the other methods.
HTH,
Scott
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of TiuN
Hong Leng
Sent: Wednesday, May 18, 2005 6:05 AM
To: ccielab@groupstudy.com
Subject: aaa authentication without line password
Hi,
Here is my configuration:
aaa new-model
aaa authentication login default local line enable none
aaa authorization exec default local if-authenticated
line vty 0 4
transport input telnet
transport output telnet
!
I found that I can not be authenticated by using enable password if there is
no username in local database and no line password.
Why???
My IOS version is 12.2(15)T14
This archive was generated by hypermail 2.1.4 : Fri Jun 03 2005 - 10:11:58 GMT-3