From: Paul Dardinski (pauld@marshallcomm.com)
Date: Sat Jul 29 2006 - 23:10:56 ART
It would appear that Godswills solution would capture the vty
requirement, but still think that by using "enable" on the CONSOLE, you
still have a password requirement involved. (the enable pwd would be
required)
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
firstie
Sent: Saturday, July 29, 2006 6:33 PM
To: Sean C.
Cc: secondie@gmail.com; ccielab@groupstudy.com
Subject: Re: enable access for VTY and console
TACACS is not an option. Question says local AAA.
There was a userid and PW configured during last step so yes useris and
pw is available.
If my interpretation is correct, Godswill's solution requires enable
password to be entered for console.
I am starting to think there is a problem with the question itself.
-secondie
Sean C. wrote:
> Ahh, so you're in fact thinking a third solution from the two I
suggested:
> -You believe that if you attach a console port to the router, the term
> session will start at user mode, w/out requiring authentication. You
then
> type 'enable' and are automatically placed into exec mode.
>
> Also, thinking about Godswill's solution:
> !
> aaa new-model
> aaa authentication login CONSOLE enable
> aaa authentication login VTY local
> !
> line console 0
> login authentication CONSOLE
> !
> line vty 0 4
> login authentication VTY
> !
>
> Doesn't using 'local' on the VTY group force you to create a username
and
> PW? Was a username and PW required/created anywhere else in any
tasks?
>
http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cg/hs
ec_c/part05/ch05/schathen.htm#wp1001192
>
> Again, interesting challenge. Wish I could offer more, but I don't
have
> immediate access to a router to bang on some theories. Thx,
> Sean
>
>
> ----- Original Message -----
> From: "secondie" <secondie@gmail.com>
> To: "Sean C." <Upp_and_Upp@hotmail.com>
> Cc: <ccielab@groupstudy.com>
> Sent: Saturday, July 29, 2006 2:29 PM
> Subject: Re: enable access for VTY and console
>
>
> Question, the way I read is that no PW is need for console ... my
> interpretation is that I am allowed to type enable and hit enter. But
> the catch is that AAA authorizes that action ... so placing a "privi
> level 15" is probably not what is being asked (sorry Mike, you had
> proposed that solution).
>
> In the mean time requiring VTY to use local enable forces the presence
> of the enable PW that will interfere with console "no PW" requirement.
>
> May be it not possible.
>
>
>
>
> Sean C. wrote:
>
>> Hi Secondie,
>>
>> Interesting challenge. I have one question, and perhaps it's just a
>> question of task interpretation. The first task you supplied "using
AAA,
>> that console never requires the enable password..."
>>
>> Does this mean:
>> 1-the router requires you to authenticate to access the router via
the
>> console, but once authenticated, you are taken straight to exec mode?
>>
> IOW -
>
>> you still need to supply a password, but when you supply the
password,
>> instead of only placing your session in user mode, your session is
>> automatically started in exec mode.
>> OR
>> 2-there is no password for both user and enable mode. IOW - if you
start
>>
> a
>
>> terminal session in the console port, your session will automatically
>>
> start
>
>> at the exec mode.
>>
>> I would think option 2, but when reading the question 10 dozen times,
I
>> start thinking about what to do for user mode. Again, thanks for the
>> challenge and thank everyone for their posts/opinions,
>> Sean
>>
>>
>> ----- Original Message -----
>> From: "secondie" <secondie@gmail.com>
>> To: "Michael Stout" <michaelgstout@hotmail.com>
>> Cc: <ploreal@gmail.com>; <ccielab@groupstudy.com>;
>>
> <security@groupstudy.com>
>
>> Sent: Saturday, July 29, 2006 1:09 PM
>> Subject: Re: enable access for VTY and console
>>
>>
>> Thanks all for replies. I was hoping to see some variant of "aaa
authen
>> enable default enable" type command to set the "no password needed"
for
>> console while still needing enable password for VTY.
>>
>> What I found so far is that ""aaa authen enable default enable" or
"aaa
>> authen enable default none" command has only default mode and no
group
>>
> mode
>
>> for example if I had "aaa authen enable MYCONSOLE none" and "aaa
authen
>> enable VTY enable", I could easily do something like below:
>>
>> aaa authen login MYCONSOLE none
>> aaa authen enable VTY enable
>>
>> line con 0
>> login authen MYCONSOLE
>> line vty 0 4
>> login authen VTY
>>
>> Is it possible to configure "aaa authen enable MYCONSOLE none"
command ?
>> I know there are new variation of aaa commands all over the IOS
trains
>> and so far I can only find the default group with this command/
>>
>> once again thanks all for responses.
>>
>> -secondie
>>
>>
>> Michael Stout wrote:
>>
>>
>>> I don't have a lot of experience with aaa.
>>> i believe you would want to set the parameters for default
>>> authentication if you want to use a default authentication method.
>>> aaa authentication default group tacacs local enable
>>> Then you would set up your specilized aaa authentication methods
>>> aaa authentication login insecure none
>>> aaa authentication login telnet local
>>> aaa authentication enable enable
>>>
>>> Then you apply the aaa authentication methods
>>> line con 0
>>> login authentication insecure
>>> privi le 15
>>> line vty 0 15
>>> login authentication telnet
>>> privi le 0
>>>
>>> Then you can set up your authorization
>>> aaa authorization commands 15 telnet if-authenticated
>>> aaa autorization commands 1 enable if-authenticated
>>>
>>> Then you set up you command levels
>>> privilege exec level 1 enable
>>> This command prevents your vty users from ever entering enable mode
>>>
>>>
>>>
>>> From: /"Patricia Loreal" <ploreal@gmail.com>/
>>> To: /michaelgstout@hotmail.com/
>>> CC: /secondie@gmail.com, ccielab@groupstudy.com,
>>> security@groupstudy.com/
>>> Subject: /RE: enable access for VTY and console/
>>> Date: /Sat, 29 Jul 2006 14:00:05 -0400/
>>>
>>> Hi,
>>>
>>> But why we do not need the
>>> aaa authentication login default none
>>> in this case?
>>>
>>> I've test that and seems not to be needing the default
>>>
>>> athentication, I thought that when enabling aaa
>>> authentication it would use also the default.
>>>
>>> Thanks Michael
>>> Patricia
>>>
>>>
>>
This archive was generated by hypermail 2.1.4 : Tue Aug 01 2006 - 07:13:48 ART