Sorry, that was meant to be:
aaa new-model
aaa authentication login default line none
On Mon, May 4, 2009 at 10:08 AM, Dale Shaw <dale.shaw_at_gmail.com> wrote:
> Hi,
>
> On Mon, May 4, 2009 at 3:37 AM, <ssflack_at_googlemail.com> wrote:
>>
>> Could someone please help!? I am trying to configure dot1x for switchport
>> interfaces but I want the telnet lines to only ask for a password, therefore
>> not breaking the rules of mock labs etc by changing the authentication
>> methods of the telnet lines.
>>
>> #aaa new-model
>> #aaa authentication login VTY line
>> #line vty 0 15
>> #login authentication VTY
>> #password cisco
>
> Putting aside any IOS bugs you may be encountering (referring to your
> newer post), I personally think it's "safer" to go with:
>
> aaa new-model
> aaa authentication login default line
>
> (assuming the following defaults:
> line vty 0 15
> password whatever
> login
> )
>
> One could argue that creating a non-default/named access method, then
> explicitly applying a "login authentication <method>" command on the
> VTY lines, is actually changing the VTY line login method "more" than
> necessary. When I'm enabling dot1x or a working on a similar
> AAA-related task (in practice labs, NOT the real world!), I go with:
>
> aaa new-model
> aaa authentication dot1x default group radius
> aaa authentication login default line none
>
> This means that without applying any configuration to console or VTY
> lines, they behave as they did before -- if there's a line-level
> password, it's used. If there's not, access is granted without
> authentication. I guess one difference is that without aaa new-model,
> if you have "login" on a VTY line, but no password defined, you can't
> login.
>
> If you run into something like this in the lab, I'd confirm with the
> proctor exactly what kind of end result they're looking for, both in
> terms of behaviour and configuration entries. Don't expect to a
> completely enlightening response though ;-)
>
> cheers,
> Dale
Blogs and organic groups at http://www.ccie.net
Received on Mon May 04 2009 - 10:09:02 ART
This archive was generated by hypermail 2.2.0 : Mon Jun 01 2009 - 07:04:41 ART