Re: enable access for VTY and console

From: Michael Stout (michaelgstout@hotmail.com)
Date: Sat Jul 29 2006 - 18:48:46 ART

• Next message: Neil Moore: "Re: enable access for VTY and console"
• Previous message: secondie: "Re: enable access for VTY and console"
• Maybe in reply to: secondie: "enable access for VTY and console"
• Next in thread: Neil Moore: "Re: enable access for VTY and console"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Godswill Oletu solution was exactly correct
Sorry, i didn't exactly read the question.

  --------------------------------------------------------------------

  From: secondie <secondie@gmail.com>
  Reply-To: secondie <secondie@gmail.com>
  To: "Sean C." <Upp_and_Upp@hotmail.com>
  CC: ccielab@groupstudy.com
  Subject: Re: enable access for VTY and console
  Date: Sat, 29 Jul 2006 17:29:51 -0400
  Question, the way I read is that no PW is need for console ... my
  interpretation is that I am allowed to type enable and hit enter. But
  the catch is that AAA authorizes that action ... so placing a "privi
  level 15" is probably not what is being asked (sorry Mike, you had
  proposed that solution).

  In the mean time requiring VTY to use local enable forces the
  presence of the enable PW that will interfere with console "no PW"
  requirement.

  May be it not possible.

  Sean C. wrote:
>Hi Secondie,
>
>Interesting challenge. I have one question, and perhaps it's just a
>question of task interpretation. The first task you supplied
>"using AAA,
>that console never requires the enable password..."
>
>Does this mean:
>1-the router requires you to authenticate to access the router via
>the
>console, but once authenticated, you are taken straight to exec
>mode? IOW -
>you still need to supply a password, but when you supply the
>password,
>instead of only placing your session in user mode, your session is
>automatically started in exec mode.
>OR
>2-there is no password for both user and enable mode. IOW - if you
>start a
>terminal session in the console port, your session will
>automatically start
>at the exec mode.
>
>I would think option 2, but when reading the question 10 dozen
>times, I
>start thinking about what to do for user mode. Again, thanks for
>the
>challenge and thank everyone for their posts/opinions,
>Sean
>
>
>----- Original Message ----- From: "secondie" <secondie@gmail.com>
>To: "Michael Stout" <michaelgstout@hotmail.com>
>Cc: <ploreal@gmail.com>; <ccielab@groupstudy.com>;
><security@groupstudy.com>
>Sent: Saturday, July 29, 2006 1:09 PM
>Subject: Re: enable access for VTY and console
>
>
>Thanks all for replies. I was hoping to see some variant of "aaa
>authen
>enable default enable" type command to set the "no password needed"
>for
>console while still needing enable password for VTY.
>
>What I found so far is that ""aaa authen enable default enable" or
>"aaa
>authen enable default none" command has only default mode and no
>group mode
>
>for example if I had "aaa authen enable MYCONSOLE none" and "aaa
>authen
>enable VTY enable", I could easily do something like below:
>
>aaa authen login MYCONSOLE none
>aaa authen enable VTY enable
>
>line con 0
>login authen MYCONSOLE
>line vty 0 4
>login authen VTY
>
>Is it possible to configure "aaa authen enable MYCONSOLE none"
>command ?
>I know there are new variation of aaa commands all over the IOS
>trains
>and so far I can only find the default group with this command/
>
>once again thanks all for responses.
>
>-secondie
>
>
>Michael Stout wrote:
>
>>I don't have a lot of experience with aaa.
>>i believe you would want to set the parameters for default
>>authentication if you want to use a default authentication method.
>>aaa authentication default group tacacs local enable
>>Then you would set up your specilized aaa authentication methods
>>aaa authentication login insecure none
>>aaa authentication login telnet local
>>aaa authentication enable enable
>>
>>Then you apply the aaa authentication methods
>>line con 0
>>login authentication insecure
>>privi le 15
>>line vty 0 15
>>login authentication telnet
>>privi le 0
>>
>>Then you can set up your authorization
>>aaa authorization commands 15 telnet if-authenticated
>>aaa autorization commands 1 enable if-authenticated
>>
>>Then you set up you command levels
>>privilege exec level 1 enable
>>This command prevents your vty users from ever entering enable mode
>>
>>
>>
>> From: /"Patricia Loreal" <ploreal@gmail.com>/
>> To: /michaelgstout@hotmail.com/
>> CC: /secondie@gmail.com, ccielab@groupstudy.com,
>> security@groupstudy.com/
>> Subject: /RE: enable access for VTY and console/
>> Date: /Sat, 29 Jul 2006 14:00:05 -0400/
>>
>> Hi,
>>
>> But why we do not need the
>> aaa authentication login default none
>> in this case?
>>
>> I've test that and seems not to be needing the default
>>
>> athentication, I thought that when enabling aaa
>> authentication it would use also the default.
>>
>> Thanks Michael
>> Patricia
>>
>
>_______________________________________________________________________
>Subscription information may be found at:
>http://www.groupstudy.com/list/CCIELab.html

  _______________________________________________________________________
  Subscription information may be found at:
  http://www.groupstudy.com/list/CCIELab.html

• Next message: Neil Moore: "Re: enable access for VTY and console"
• Previous message: secondie: "Re: enable access for VTY and console"
• Maybe in reply to: secondie: "enable access for VTY and console"
• Next in thread: Neil Moore: "Re: enable access for VTY and console"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Tue Aug 01 2006 - 07:13:48 ART