From: Neil Moore (neil@droopy.com)
Date: Sat Jul 29 2006 - 18:50:12 ART
Does this question exclude you from using the ACS server?
Sean C. wrote:
> Hi Secondie,
>
> Interesting challenge. I have one question, and perhaps it's just a
> question of task interpretation. The first task you supplied "using AAA,
> that console never requires the enable password..."
>
> Does this mean:
> 1-the router requires you to authenticate to access the router via the
> console, but once authenticated, you are taken straight to exec mode? IOW -
> you still need to supply a password, but when you supply the password,
> instead of only placing your session in user mode, your session is
> automatically started in exec mode.
> OR
> 2-there is no password for both user and enable mode. IOW - if you start a
> terminal session in the console port, your session will automatically start
> at the exec mode.
>
> I would think option 2, but when reading the question 10 dozen times, I
> start thinking about what to do for user mode. Again, thanks for the
> challenge and thank everyone for their posts/opinions,
> Sean
>
>
> ----- Original Message -----
> From: "secondie" <secondie@gmail.com>
> To: "Michael Stout" <michaelgstout@hotmail.com>
> Cc: <ploreal@gmail.com>; <ccielab@groupstudy.com>; <security@groupstudy.com>
> Sent: Saturday, July 29, 2006 1:09 PM
> Subject: Re: enable access for VTY and console
>
>
> Thanks all for replies. I was hoping to see some variant of "aaa authen
> enable default enable" type command to set the "no password needed" for
> console while still needing enable password for VTY.
>
> What I found so far is that ""aaa authen enable default enable" or "aaa
> authen enable default none" command has only default mode and no group mode
>
> for example if I had "aaa authen enable MYCONSOLE none" and "aaa authen
> enable VTY enable", I could easily do something like below:
>
> aaa authen login MYCONSOLE none
> aaa authen enable VTY enable
>
> line con 0
> login authen MYCONSOLE
> line vty 0 4
> login authen VTY
>
> Is it possible to configure "aaa authen enable MYCONSOLE none" command ?
> I know there are new variation of aaa commands all over the IOS trains
> and so far I can only find the default group with this command/
>
> once again thanks all for responses.
>
> -secondie
>
>
> Michael Stout wrote:
>
>> I don't have a lot of experience with aaa.
>> i believe you would want to set the parameters for default
>> authentication if you want to use a default authentication method.
>> aaa authentication default group tacacs local enable
>> Then you would set up your specilized aaa authentication methods
>> aaa authentication login insecure none
>> aaa authentication login telnet local
>> aaa authentication enable enable
>>
>> Then you apply the aaa authentication methods
>> line con 0
>> login authentication insecure
>> privi le 15
>> line vty 0 15
>> login authentication telnet
>> privi le 0
>>
>> Then you can set up your authorization
>> aaa authorization commands 15 telnet if-authenticated
>> aaa autorization commands 1 enable if-authenticated
>>
>> Then you set up you command levels
>> privilege exec level 1 enable
>> This command prevents your vty users from ever entering enable mode
>>
>>
>>
>> From: /"Patricia Loreal" <ploreal@gmail.com>/
>> To: /michaelgstout@hotmail.com/
>> CC: /secondie@gmail.com, ccielab@groupstudy.com,
>> security@groupstudy.com/
>> Subject: /RE: enable access for VTY and console/
>> Date: /Sat, 29 Jul 2006 14:00:05 -0400/
>>
>> Hi,
>>
>> But why we do not need the
>> aaa authentication login default none
>> in this case?
>>
>> I've test that and seems not to be needing the default
>>
>> athentication, I thought that when enabling aaa
>> authentication it would use also the default.
>>
>> Thanks Michael
>> Patricia
>>
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Tue Aug 01 2006 - 07:13:48 ART