From: nhatphuc (nhatphuc@gmail.com)
Date: Tue Apr 17 2007 - 13:14:16 ART
Hi Victor,
I change to "aaa authen login default local" and "add aaa authen enable
default enable", but it doesn't work
This is the output:
Router#sh run
Building configuration...
enable password cisco
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login TELNET group radius
!
aaa session-id common
!
!
username phuc password 0 phuc
interface GigabitEthernet0/0
ip address 192.168.1.99 255.255.255.0
duplex auto
speed auto
!
ip http server
no ip http secure-server
!
radius-server local
nas 192.168.1.99 key 0 cisco
group User
block count 2 time 15
!
user admin nthash 7
115B495C34445A5B500E0A70716316033625425153700A7E72012F5439330F0B03
!
radius-server host 192.168.1.99 auth-port 1812 acct-port 1813 key cisco
!
control-plane
!
line con 0
line aux 0
transport input telnet
line vty 0 4
login authentication TELNET
!
Router#ena
Router#enable view
Password:
% Authentication failed
Router#enable view
Password:
% Authentication failed
Router#conf
Configuring from terminal, memory, or network [terminal]?
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#ena
Router(config)#enable sec
Router(config)#enable secret class
Router(config)#exit
Router#enable view
Password:
% Authentication failed
Router#conf
Configuring from terminal, memory, or network [terminal]?
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#aaa authentication enable default enable
Router(config)#exit
Router#enable view
Password:
% Authentication failed
Router#enable view
Password:
% Authentication failed
Router#sh run
Building configuration...
Current configuration : 1597 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
no service password-recovery
!
hostname Router
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$n.Jd$9jXsiBUhjQm/K8P1PVIBf/
enable password cisco
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login TELNET group radius
aaa authentication enable default enable
!
aaa session-id common
!
username phuc password 0 phuc
secure boot-image
secure boot-config
!
interface GigabitEthernet0/0
ip address 192.168.1.99 255.255.255.0
duplex auto
speed auto
!
interface GigabitEthernet0/1
ip address 192.168.3.1 255.255.255.0
no ip unreachables
duplex auto
speed auto
!
ip http server
no ip http secure-server
!
radius-server local
nas 192.168.1.99 key 0 cisco
group User
block count 2 time 15
!
user admin nthash 7
115B495C34445A5B500E0A70716316033625425153700A7E72012F5439330F0B03
!
radius-server host 192.168.1.99 auth-port 1812 acct-port 1813 key cisco
!
line con 0
line aux 0
transport input telnet
line vty 0 4
login authentication TELNET
!
Please note that I can enable root view if I only enable aaa using aaa
new-model command and don't put any aaa authen,... on router
Thanks
Phuc
On 4/17/07, Victor Cappuccio <victor@ccbootcamp.com> wrote:
>
> Ouchhh I am sorry, i did not read your email completely
>
> Here is the router output when configured to login none..
>
> R1#enable view
> R1#
> *Apr 17 07:26:41.378: %AAA-6-USER_BLOCKED: Enable view requires to be
> authenticated by non-none methods,Please use the appropriate method with the
> login authentication
>
> Solution
> R1#
> R1#conf ter
> Enter configuration commands, one per line. End with CNTL/Z.
> R1(config)#aaa authentication login default local
> R1(config)#^Z
> R1#
> *Apr 17 07:27:16.854: %SYS-5-CONFIG_I: Configured from console by
> consoleena
> R1#enable view
> Password:
>
> R1#
> *Apr 17 07:27:22.114: %PARSER-6-VIEW_SWITCH: successfully set to view
> 'root'.
>
> :)
>
>
>
>
> -----Original Message-----
> From: nobody@groupstudy.com on behalf of Victor Cappuccio
> Sent: Tue 4/17/2007 0:11
> To: nhatphuc; Cisco certification
> Subject: RE: Role-base CLI
>
> Hi Phuc,
>
> Role Base System is like configuring a Unix stile in Cisco router ;)
>
> The first thing is to enable aaa
> aaa new-model
> enables different level of authentication atorization and accounting
>
> from here we need to move into the Root mode and default default password
> would be the enable secret password
>
>
> R1(config)#enable secret cisco
> R1(config)#aaa new-model
> R1(config)#exit
> R1#
> *Apr 17 07:05:27.238: %SYS-5-CONFIG_I: Configured from console by cons
> R1#enable view
> Password:
> !PASSWORD HERE IS cisco
> R1#
> *Apr 17 07:05:34.350: %PARSER-6-VIEW_SWITCH: successfully set to view
> 'root'.
> R1#
> So now we can configure view for different users
> (like 15 different view)
> using the parser view you can configure other views
> monitor or something else
> to configure a password to that view use the secret command
> and to set the commands available or that view use command
>
> R1#conf ter
> Enter configuration commands, one per line. End with CNTL/Z.
> R1(config)#parser ?
> % Ambiguous command: "parser "
> but you can still complete the command and that would be accepted by the
> IOS
> R1(config)#parser view monitor
>
> R1(config-view)#
> *Apr 17 07:09:24.850: %PARSER-6-VIEW_CREATED: view 'monitor' successfully
> created.?
> View commands:
> commands Configure commands for a view
> default Set a command to its defaults
> exit Exit from view configuration mode
> no Negate a command or set its defaults
> secret Set a secret for the current view
>
> R1(config-view)#secret cisco
> R1(config-view)#commands exec ?
> exclude Exclude the command from the view
> include Add command to the view
> include-exclusive Include in this view but exclude from others
> R1(config-view)#commands exec include show ver
>
>
> to get into the view level
> R1#enable view monitor
> Password:
>
> R1#show ?
> flash: display information about flash: file system
> parser Display parser information
> version System hardware and software status
>
> So only show version is available for this view
>
> R1#show ver | in IOS
> Cisco IOS Software, 2800 Software (C2800NM-ADVENTERPRISEK9-M), Version
> 12.4(7a), RELEASE SOFTWARE (fc3)
>
> HTH
>
>
> thanks,
> Victor Cappuccio.-
> Network Learning Inc - A Cisco Sponsored Organization (SO) YES! We take
> Cisco Learning credits!
> victor@ccbootcamp.com
> http://www.ccbootcamp.com (Cisco Training and Rental Racks)
> http://www.ccbootcamp.com/groupstudy.html (groupstudy member discounts!)
> Voice: 702-968-5100
> FAX: 702-446-8012
>
>
>
>
> -----Original Message-----
> From: nobody@groupstudy.com on behalf of nhatphuc
> Sent: Tue 4/17/2007 4:33
> To: Cisco certification
> Subject: Role-base CLI
>
> Hi Group,
>
> I'm configuring Role-base CLI
>
> My config as follows:
>
> enable password cisco
>
> aaa new-model
> aaa authentication login default none
> aaa authentication login TELNET group radius
> aaa authentication enable default enable
>
> interface GigabitEthernet0/0
> ip address 192.168.1.99 255.255.255.0
> duplex auto
> speed auto
> !
> radius-server local
> nas 192.168.1.99 key 0 cisco
> group User
> block count 2 time 15
> !
> user user1 pass user1
> !
> radius-server host 192.168.1.99 auth-port 1812 acct-port 1813 key cisco
>
> line con 0
> line aux 0
> transport input telnet
> line vty 0 4
> login authentication TELNET
>
> When I enable root view, router says authentication failed although I
> input
> the correct password cisco:
>
> Router#enable view
> Password:
> % Authentication failed
>
> If I delete these commands:
>
> aaa authentication login default none
> aaa authentication login TELNET group radius
> aaa authentication enable default enable
>
> I can enable root view using enable password.
>
> How can I configure Role-base CLI together with aaa authentication?
>
> Thanks
>
> Phuc
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Tue May 01 2007 - 08:28:36 ART