RE: aaa authentication and vty lines

Ryan, Dale,

I would also agree that the best solution is:

aaa authentication login default line none

This adheres to all the rules and is also the tidiest method.

I managed to verify this with my setup and got it working on 12.2(25)SEE3
perfectly, this must have been a bug. You can imagine my frustration trying
to get this to work!!

Thanks for all your help.

Regards,
Sean

-----Original Message-----
From: Ryan West [mailto:rwest_at_zyedge.com]
Sent: 04 May 2009 01:21
To: Dale Shaw; ssflack_at_googlemail.com
Cc: ccielab_at_groupstudy.com
Subject: RE: aaa authentication and vty lines

I would agree with you on that. There is a mock lab with a similar
scenario, but you're instructed to keep the password on the VTY line and
disable authentication on the console.

Here's with the default console, using:

aaa authentication login default line none

Rack1SW2#
*Mar 2 02:01:42.376: AAA/BIND(00000005): Bind i/f
*Mar 2 02:01:42.376: AAA/AUTHEN/LOGIN (00000005): Pick method list
'default'
*Mar 2 02:01:42.376: AAA/AUTHEN/LINE(00000005): FAIL Line password not
found

And then with a new group set to none.

aaa authentication login NONE none

Rack1SW2#
*Mar 2 02:03:36.259: AAA/BIND(00000006): Bind i/f
*Mar 2 02:03:36.259: AAA/AUTHEN/LOGIN (00000006): Pick method list 'NONE'

Either way I was able to get back in. I guess I would ask the proctor what
he wants to see. FYI, for the mock lab, they used the default group for
line and another group for console.

-ryan

-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of Dale
Shaw
Sent: Sunday, May 03, 2009 8:08 PM
To: ssflack_at_googlemail.com
Cc: ccielab_at_groupstudy.com
Subject: Re: aaa authentication and vty lines

Hi,

On Mon, May 4, 2009 at 3:37 AM, <ssflack_at_googlemail.com> wrote:
>
> Could someone please help!? I am trying to configure dot1x for switchport
> interfaces but I want the telnet lines to only ask for a password,
therefore
> not breaking the rules of mock labs etc by changing the authentication
> methods of the telnet lines.
>
> #aaa new-model
> #aaa authentication login VTY line
> #line vty 0 15
> #login authentication VTY
> #password cisco

Putting aside any IOS bugs you may be encountering (referring to your
newer post), I personally think it's "safer" to go with:

aaa new-model
aaa authentication login default line

(assuming the following defaults:
line vty 0 15
 password whatever
 login
)

One could argue that creating a non-default/named access method, then
explicitly applying a "login authentication <method>" command on the
VTY lines, is actually changing the VTY line login method "more" than
necessary. When I'm enabling dot1x or a working on a similar
AAA-related task (in practice labs, NOT the real world!), I go with:

aaa new-model
aaa authentication dot1x default group radius
aaa authentication login default line none

This means that without applying any configuration to console or VTY
lines, they behave as they did before -- if there's a line-level
password, it's used. If there's not, access is granted without
authentication. I guess one difference is that without aaa new-model,
if you have "login" on a VTY line, but no password defined, you can't
login.

If you run into something like this in the lab, I'd confirm with the
proctor exactly what kind of end result they're looking for, both in
terms of behaviour and configuration entries. Don't expect to a
completely enlightening response though ;-)

cheers,
Dale

Blogs and organic groups at http://www.ccie.net
Received on Mon May 04 2009 - 12:02:01 ART