RE: aaa authentication and vty lines

I would agree with you on that. There is a mock lab with a similar scenario, but you're instructed to keep the password on the VTY line and disable authentication on the console.

Here's with the default console, using:

aaa authentication login default line none

Rack1SW2#
*Mar 2 02:01:42.376: AAA/BIND(00000005): Bind i/f
*Mar 2 02:01:42.376: AAA/AUTHEN/LOGIN (00000005): Pick method list 'default'
*Mar 2 02:01:42.376: AAA/AUTHEN/LINE(00000005): FAIL Line password not found

And then with a new group set to none.

aaa authentication login NONE none

Rack1SW2#
*Mar 2 02:03:36.259: AAA/BIND(00000006): Bind i/f
*Mar 2 02:03:36.259: AAA/AUTHEN/LOGIN (00000006): Pick method list 'NONE'

Either way I was able to get back in. I guess I would ask the proctor what he wants to see. FYI, for the mock lab, they used the default group for line and another group for console.

-ryan

-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of Dale Shaw
Sent: Sunday, May 03, 2009 8:08 PM
To: ssflack_at_googlemail.com
Cc: ccielab_at_groupstudy.com
Subject: Re: aaa authentication and vty lines

Hi,

On Mon, May 4, 2009 at 3:37 AM, <ssflack_at_googlemail.com> wrote:
>
> Could someone please help!? I am trying to configure dot1x for switchport
> interfaces but I want the telnet lines to only ask for a password, therefore
> not breaking the rules of mock labs etc by changing the authentication
> methods of the telnet lines.
>
> #aaa new-model
> #aaa authentication login VTY line
> #line vty 0 15
> #login authentication VTY
> #password cisco

Putting aside any IOS bugs you may be encountering (referring to your
newer post), I personally think it's "safer" to go with:

aaa new-model
aaa authentication login default line

(assuming the following defaults:
line vty 0 15
 password whatever
 login
)

One could argue that creating a non-default/named access method, then
explicitly applying a "login authentication <method>" command on the
VTY lines, is actually changing the VTY line login method "more" than
necessary. When I'm enabling dot1x or a working on a similar
AAA-related task (in practice labs, NOT the real world!), I go with:

aaa new-model
aaa authentication dot1x default group radius
aaa authentication login default line none

This means that without applying any configuration to console or VTY
lines, they behave as they did before -- if there's a line-level
password, it's used. If there's not, access is granted without
authentication. I guess one difference is that without aaa new-model,
if you have "login" on a VTY line, but no password defined, you can't
login.

If you run into something like this in the lab, I'd confirm with the
proctor exactly what kind of end result they're looking for, both in
terms of behaviour and configuration entries. Don't expect to a
completely enlightening response though ;-)

cheers,
Dale

Blogs and organic groups at http://www.ccie.net
Received on Sun May 03 2009 - 20:20:55 ART