From: TiuN Hong Leng (hongleng@ms73.hinet.net)
Date: Wed May 18 2005 - 23:35:56 GMT-3
Hi Scott,
It does go to the next method.
When (with line password and no username):
aaa new-model
aaa authentication login default local line enable none
aaa authorization exec default local if-authenticated
line vty 0 4
password cisco
transport input telnet
transport output telnet
!
===================================================================
User Access Verification
Username: abc
Password:
<-------- local method failed
Password: <-------- use line password "cisco"
INT-TN-C2621>
===================================================================
But after removing line password:
aaa new-model
aaa authentication login default local line enable none
aaa authorization exec default local if-authenticated
enable secret cisco
line vty 0 4
transport input telnet
transport output telnet
!
===================================================================
User Access Verification
Username: abc
Password:
<-------- local method failed
Password: <-------- STILL WANT LINE PASSWORD (see debug below)
<-------- Since no line password, no one can log in
% Authentication failed.
Username:
===================================================================
May 19 10:31:44: AAA/BIND(0000003E): Bind i/f
May 19 10:31:44: AAA/AUTHEN/LOGIN (0000003E): Pick method list 'default'
May 19 10:31:48: AAA/AUTHEN/LINE(0000003E): GET_PASSWORD
May 19 10:31:51: AAA/AUTHEN/LINE(0000003E): FAIL password incorrect
May 19 10:31:53: AAA/AUTHEN/LOGIN (0000003E): Pick method list 'default'
On Wed, 18 May 2005 08:38:16 -0400
"Scott Morris" <swm@emanon.com> wrote:
> In order for the AAA process to move from one method to another (local to
> enable), you have to have a FAILURE of the first method.
>
> IMHO, there is no way to have a FAILURE of local authentication. You will
> get a Yes or No response all the time, regardless of whether you have the
> usernames configured! With TACACS and RADIUS, you can get no response
> (server down?) that will generate a FAILURE of the method.
>
> So my guess would be that you first method listed (local) will always give a
> yes or no response no matter what you enter, therefore it would never go to
> the other methods.
>
> HTH,
>
> Scott
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of TiuN
> Hong Leng
> Sent: Wednesday, May 18, 2005 6:05 AM
> To: ccielab@groupstudy.com
> Subject: aaa authentication without line password
>
> Hi,
>
> Here is my configuration:
>
> aaa new-model
> aaa authentication login default local line enable none
> aaa authorization exec default local if-authenticated
> line vty 0 4
> transport input telnet
> transport output telnet
> !
>
>
> I found that I can not be authenticated by using enable password if there is
> no username in local database and no line password.
>
> Why???
> My IOS version is 12.2(15)T14
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
-- TiuN Hong Leng CCIE #13673
This archive was generated by hypermail 2.1.4 : Fri Jun 03 2005 - 10:11:59 GMT-3