From: Sean C. (Upp_and_Upp@hotmail.com)
Date: Sat Jul 29 2006 - 20:54:35 ART
Hi Secondie,
Interesting challenge. I have one question, and perhaps it's just a
question of task interpretation. The first task you supplied "using AAA,
that console never requires the enable password..."
Does this mean:
1-the router requires you to authenticate to access the router via the
console, but once authenticated, you are taken straight to exec mode? IOW -
you still need to supply a password, but when you supply the password,
instead of only placing your session in user mode, your session is
automatically started in exec mode.
OR
2-there is no password for both user and enable mode. IOW - if you start a
terminal session in the console port, your session will automatically start
at the exec mode.
I would think option 2, but when reading the question 10 dozen times, I
start thinking about what to do for user mode. Again, thanks for the
challenge and thank everyone for their posts/opinions,
Sean
----- Original Message -----
From: "secondie" <secondie@gmail.com>
To: "Michael Stout" <michaelgstout@hotmail.com>
Cc: <ploreal@gmail.com>; <ccielab@groupstudy.com>; <security@groupstudy.com>
Sent: Saturday, July 29, 2006 1:09 PM
Subject: Re: enable access for VTY and console
Thanks all for replies. I was hoping to see some variant of "aaa authen
enable default enable" type command to set the "no password needed" for
console while still needing enable password for VTY.
What I found so far is that ""aaa authen enable default enable" or "aaa
authen enable default none" command has only default mode and no group mode
for example if I had "aaa authen enable MYCONSOLE none" and "aaa authen
enable VTY enable", I could easily do something like below:
aaa authen login MYCONSOLE none
aaa authen enable VTY enable
line con 0
login authen MYCONSOLE
line vty 0 4
login authen VTY
Is it possible to configure "aaa authen enable MYCONSOLE none" command ?
I know there are new variation of aaa commands all over the IOS trains
and so far I can only find the default group with this command/
once again thanks all for responses.
-secondie
Michael Stout wrote:
>
> I don't have a lot of experience with aaa.
> i believe you would want to set the parameters for default
> authentication if you want to use a default authentication method.
> aaa authentication default group tacacs local enable
> Then you would set up your specilized aaa authentication methods
> aaa authentication login insecure none
> aaa authentication login telnet local
> aaa authentication enable enable
>
> Then you apply the aaa authentication methods
> line con 0
> login authentication insecure
> privi le 15
> line vty 0 15
> login authentication telnet
> privi le 0
>
> Then you can set up your authorization
> aaa authorization commands 15 telnet if-authenticated
> aaa autorization commands 1 enable if-authenticated
>
> Then you set up you command levels
> privilege exec level 1 enable
> This command prevents your vty users from ever entering enable mode
>
>
>
> From: /"Patricia Loreal" <ploreal@gmail.com>/
> To: /michaelgstout@hotmail.com/
> CC: /secondie@gmail.com, ccielab@groupstudy.com,
> security@groupstudy.com/
> Subject: /RE: enable access for VTY and console/
> Date: /Sat, 29 Jul 2006 14:00:05 -0400/
>
> Hi,
>
> But why we do not need the
> aaa authentication login default none
> in this case?
>
> I've test that and seems not to be needing the default
>
> athentication, I thought that when enabling aaa
> authentication it would use also the default.
>
> Thanks Michael
> Patricia
This archive was generated by hypermail 2.1.4 : Tue Aug 01 2006 - 07:13:48 ART