From: secondie (secondie@gmail.com)
Date: Mon Jul 31 2006 - 00:39:56 ART
I think it is for "no enable password".
Here is the brief description:
"aaa authentication login VTY local" --- sets up VTY as local auth group
"aaa authorization exec VTY local" --- sets up as authorization as local
line vty 0 4
password a -- "this line has no relevance to the authen or author as both are base on AAA, so ignored by VTY login", could be used as second choice but not configured in this case
login authentication VTY --- "enable login based on VTY profile of AAA which is local"
authorization exec VTY "enables the authorization based on the VTY author group, which is local"
So when VTY is login is prompted, AAA looks for local username/password for authentication, which is cisco/cisco. Then for authorization it looks under "authorization exec VTY group local" and as local command "username cisco privi 15 pass cisco" specifies level of 15, it authorizes user cisco for priv 15, therefore directly dropping user into enable mode.
HTH
-secondie
Paul Dardinski wrote:
> Can someone elaborate? I thought the question was "is it possible to
> enable vty access with "NO" password authent?". Will lab this up, does
> this allow enable access vty with no further authent other then local
> login?
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Rick Fox
> Sent: Sunday, July 30, 2006 10:07 PM
> To: secondie@gmail.com
> Cc: Cisco certification
> Subject: RE: Enable access for VTY
>
> That's it.
>
> Line vty 0 4
> authorization exec VTY
>
> Thanks,
> Rick
>
> -----Original Message-----
> From: secondie [mailto:secondie@gmail.com]
> Sent: Sunday, July 30, 2006 9:59 PM
> To: Rick Fox
> Cc: Cisco certification
> Subject: Re: Enable access for VTY
>
> Only way I can think of is as below:
>
> aaa new-model
> aaa authentication login CONSOLE enable
> aaa authentication login VTY local
> aaa authorization exec VTY local
> enable password enable
> !
> username cisco privilege 15 password 0 cisco
>
>
> line con 0
> login authen CONSOLE
>
> line vty 0 4
> password a
> authorization exec VTY
> login authentication VTY
>
> *****************
> CONSOLE LOGIN:
> *****************
> R20 con0 is now available
>
> Press RETURN to get started.
>
>
> R20>en
> Password: enable (typed in for clarity)
> R20#
>
>
> *************
> VTY LOGIN:
> *************
> User Access Verification
>
> Username: cisco
> Password: cisco (typed in for clarity)
>
> R20#
> R20#
>
>
> HTH
> -secondie
>
>
> Rick Fox wrote:
>
>> So, is there a way to configure access so that when telneting to a
>> router, local authentication is used, and you are immediately in
>>
> enable
>
>> mode?
>>
>> The config provided from previous thread still requires additional
>>
> login
>
>> to enable mode.
>>
>>
>>
>>
>>>> aaa new-model
>>>> aaa authentication login CONSOLE enable
>>>> aaa authentication login VTY local
>>>> !
>>>> line console 0
>>>> login authentication CONSOLE
>>>> !
>>>> line vty 0 4
>>>> login authentication VTY
>>>> !
>>>>
>>>>
>>
> _______________________________________________________________________
>
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Tue Aug 01 2006 - 07:13:48 ART