RE: aaa authentication and vty lines

Sean,

Looks like it might be a bug, are you on a 3560?

Rack1SW2#sr | b line vty 0
line vty 0 4
 password cisco
 login authentication VTY
line vty 5 15
 password cisco
 login authentication VTY
!

Rack1SW2#sr | i aaa
aaa new-model
aaa authentication login VTY line
aaa session-id common

Rack1SW2#show log | i AAA
*Mar 2 01:39:44.173: AAA/BIND(00000003): Bind i/f
*Mar 2 01:39:44.173: AAA/AUTHEN/LOGIN (00000003): Pick method list 'VTY'
*Mar 2 01:39:44.181: AAA/AUTHEN/LINE(00000003): GET_PASSWORD
*Mar 2 01:39:46.639: AAA/AUTHEN/LINE(00000003): PASS

Rack1SW2#s ver | i IOS
Cisco IOS Software, C3560 Software (C3560-ADVIPSERVICESK9-M), Version 12.2(44)SE6, RELEASE SOFTWARE (fc1)

-ryan

-----Original Message-----
From: ssflack_at_googlemail.com [mailto:ssflack_at_googlemail.com]
Sent: Sunday, May 03, 2009 7:48 PM
To: Ryan West; ccielab_at_groupstudy.com
Subject: RE: aaa authentication and vty lines

Hi Ryan,

Thanks for your help. Having looked a bit further I think this could
actually be a bug with the IOS version I'm using, 12.2(44)SE. What version
are you using just to verify?

Regards,
Sean

-----Original Message-----
From: Ryan West [mailto:rwest_at_zyedge.com]
Sent: 03 May 2009 22:26
To: ssflack_at_googlemail.com; ccielab_at_groupstudy.com
Subject: RE: aaa authentication and vty lines

Sean,

There is nothing wrong with your configuration that I can see based on what
you posted. I was pretty sure it looked correct, but I have verified in my
lab as well, not sure off hand what else it might be.

Could you post your 's run | s line vty' and 's run | i aaa' ?

-ryan

-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
ssflack_at_googlemail.com
Sent: Sunday, May 03, 2009 1:38 PM
To: ccielab_at_groupstudy.com
Subject: aaa authentication and vty lines

Hi All,

Could someone please help!? I am trying to configure dot1x for switchport
interfaces but I want the telnet lines to only ask for a password, therefore
not breaking the rules of mock labs etc

by changing the authentication methods of the telnet lines.

So I have done the following configuration

#aaa new-model

#aaa authentication login VTY line

#line vty 0 15

#login authentication VTY

#password cisco

I'm sure this is correct, but when I telnet from another device to the
switch (or to itself for that matter), I get the following, no password
prompt and nothing else (with debug aaa authentication enabled):

Rack1SW2(config-line)#do telnet 150.1.8.8

Trying 150.1.8.8 ... Open

*Mar 12 04:23:51.567: AAA/BIND(00000009): Bind i/f

*Mar 12 04:23:51.567: AAA/AUTHEN/LOGIN (00000009): Pick method list 'VTY'

From here I have to manually ctrl-shift-6 x out to do anything else. I do
not have any access-lists configured that could affect the config and if I
set the aaa authentication login method to "none", it does not ask for a
password and continues as expected to the switch prompt.

Thanks in advance,

Regards,

Sean

Blogs and organic groups at http://www.ccie.net
Received on Sun May 03 2009 - 19:56:05 ART