From: secondie (secondie@gmail.com)
Date: Mon Jul 31 2006 - 10:06:02 ART
This thread is kind of continuation of another thread posted by me
earlier. One of the requirements was to use AAA.
Hope this clarifies.
Gregory W. Posey Jr. wrote:
> Why not...
> username cisco password cisco
> line vty 0 4
> login local
> privilege level 15
> Thank you,
> Greg Posey Jr.
> CCIE #7981
> CCSP, CCSI
> M.S. EE
>
> secondie writes:
>> I think it is for "no enable password".
>> Here is the brief description:
>> "aaa authentication login VTY local" --- sets up VTY as local auth
>> group
>> "aaa authorization exec VTY local" --- sets up as authorization as
>> local
>> line vty 0 4
>> password a -- "this line has no relevance to the authen or author as
>> both are base on AAA, so ignored by VTY login", could be used as
>> second choice but not configured in this case
>> login authentication VTY --- "enable login based on VTY profile of
>> AAA which is local"
>>
>> authorization exec VTY "enables the authorization based on the VTY
>> author group, which is local"
>> So when VTY is login is prompted, AAA looks for local
>> username/password for authentication, which is cisco/cisco. Then for
>> authorization it looks under "authorization exec VTY group local" and
>> as local command "username cisco privi 15 pass cisco" specifies level
>> of 15, it authorizes user cisco for priv 15, therefore directly
>> dropping user into enable mode.
>> HTH
>> -secondie
>>
>> Paul Dardinski wrote:
>>> Can someone elaborate? I thought the question was "is it possible to
>>> enable vty access with "NO" password authent?". Will lab this up, does
>>> this allow enable access vty with no further authent other then local
>>> login?
>>> -----Original Message-----
>>> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
>>> Rick Fox
>>> Sent: Sunday, July 30, 2006 10:07 PM
>>> To: secondie@gmail.com
>>> Cc: Cisco certification
>>> Subject: RE: Enable access for VTY
>>> That's it.
>>> Line vty 0 4
>>> authorization exec VTY
>>> Thanks,
>>> Rick
>>> -----Original Message-----
>>> From: secondie [mailto:secondie@gmail.com] Sent: Sunday, July 30,
>>> 2006 9:59 PM
>>> To: Rick Fox
>>> Cc: Cisco certification
>>> Subject: Re: Enable access for VTY
>>> Only way I can think of is as below:
>>> aaa new-model
>>> aaa authentication login CONSOLE enable
>>> aaa authentication login VTY local
>>> aaa authorization exec VTY local
>>> enable password enable
>>> !
>>> username cisco privilege 15 password 0 cisco
>>>
>>> line con 0
>>> login authen CONSOLE
>>> line vty 0 4
>>> password a
>>> authorization exec VTY
>>> login authentication VTY
>>> *****************
>>> CONSOLE LOGIN:
>>> *****************
>>> R20 con0 is now available
>>> Press RETURN to get started.
>>>
>>> R20>en
>>> Password: enable (typed in for clarity)
>>> R20#
>>>
>>> *************
>>> VTY LOGIN:
>>> *************
>>> User Access Verification
>>> Username: cisco
>>> Password: cisco (typed in for clarity)
>>> R20#
>>> R20#
>>>
>>> HTH
>>> -secondie
>>>
>>> Rick Fox wrote:
>>>> So, is there a way to configure access so that when telneting to a
>>>> router, local authentication is used, and you are immediately in
>>> enable
>>>> mode?
>>>> The config provided from previous thread still requires additional
>>> login
>>>> to enable mode.
>>>>
>>>>
>>>>>> aaa new-model
>>>>>> aaa authentication login CONSOLE enable
>>>>>> aaa authentication login VTY local
>>>>>> !
>>>>>> line console 0
>>>>>> login authentication CONSOLE
>>>>>> !
>>>>>> line vty 0 4
>>>>>> login authentication VTY
>>>>>> !
>>>>
>>> _______________________________________________________________________
>>>> Subscription information may be found at:
>>>> http://www.groupstudy.com/list/CCIELab.html
>>>
>>> _______________________________________________________________________
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html
>>> _______________________________________________________________________
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Tue Aug 01 2006 - 07:13:49 ART