Hi,
On Mon, May 4, 2009 at 3:37 AM, <ssflack_at_googlemail.com> wrote:
>
> Could someone please help!? I am trying to configure dot1x for switchport
> interfaces but I want the telnet lines to only ask for a password, therefore
> not breaking the rules of mock labs etc by changing the authentication
> methods of the telnet lines.
>
> #aaa new-model
> #aaa authentication login VTY line
> #line vty 0 15
> #login authentication VTY
> #password cisco
Putting aside any IOS bugs you may be encountering (referring to your
newer post), I personally think it's "safer" to go with:
aaa new-model
aaa authentication login default line
(assuming the following defaults:
line vty 0 15
password whatever
login
)
One could argue that creating a non-default/named access method, then
explicitly applying a "login authentication <method>" command on the
VTY lines, is actually changing the VTY line login method "more" than
necessary. When I'm enabling dot1x or a working on a similar
AAA-related task (in practice labs, NOT the real world!), I go with:
aaa new-model
aaa authentication dot1x default group radius
aaa authentication login default line none
This means that without applying any configuration to console or VTY
lines, they behave as they did before -- if there's a line-level
password, it's used. If there's not, access is granted without
authentication. I guess one difference is that without aaa new-model,
if you have "login" on a VTY line, but no password defined, you can't
login.
If you run into something like this in the lab, I'd confirm with the
proctor exactly what kind of end result they're looking for, both in
terms of behaviour and configuration entries. Don't expect to a
completely enlightening response though ;-)
cheers,
Dale
Blogs and organic groups at http://www.ccie.net
Received on Mon May 04 2009 - 10:08:02 ART
This archive was generated by hypermail 2.2.0 : Mon Jun 01 2009 - 07:04:41 ART