Re: AAA Default and Lists

there is some good documentation in the command reference which states, "On
the console, login will succeed without any authentication checks if *
default* keyword is not set"

http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_a1.html#wp1088074

i did a test with a debug, and interesting things i see without the 'aaa
authentication login default local' set explicitly you get a method on the
line vty called 'Permanent Local' and on the console 'Permanent None'

aaa authentication login default local
aaa authentication login CONSOLE none
aaa authentication login VTY local
R3(config)#do sh run | s line
line con 0
 exec-timeout 0 0
 logging synchronous
 login authentication CONSOLE
line aux 0
line vty 0 4
R3(config)#do sh debug
General OS:
  AAA Authentication debugging is on
R3(config)#
*Mar 1 01:44:02.859: AAA/BIND(00000008): Bind i/f
*Mar 1 01:44:02.863: AAA/AUTHEN/LOGIN (00000008): Pick method list
'default'

R3(config)#no aaa authentication login default local
R3(config)#
*Mar 1 01:44:56.595: AAA/BIND(00000009): Bind i/f
*Mar 1 01:44:56.599: AAA/AUTHEN/LOGIN (00000009): Pick method list
'Permanent Local'
R3(config)#line vty 0 4
R3(config-line)#login authentication VTY
R3(config-line)#
*Mar 1 01:45:51.691: AAA/BIND(0000000A): Bind i/f
*Mar 1 01:45:51.695: AAA/AUTHEN/LOGIN (0000000A): Pick method list 'VTY'

WITH THE DEFAULT CONSOLE config:
R3(config-line)#do sh run | s line
line con 0
 exec-timeout 0 0
 logging synchronous
line aux 0
line vty 0 4
 login authentication VTY
*Mar 1 01:51:05.899: AAA/BIND(0000000C): Bind i/f
*Mar 1 01:51:05.903: AAA/AUTHEN/LOGIN (0000000C): Pick method list
'Permanent None'
*Mar 1 01:51:07.215: AAA: parse name=tty0 idb type=-1 tty=-1
*Mar 1 01:51:07.215: AAA: name=tty0 flags=0x11 type=4 shelf=0 slot=0
adapter=0 port=0 channel=0
*Mar 1 01:51:07.215: AAA/MEMORY: create_user (0x66055A94) user='NULL'
ruser='NULL' ds0=0 port='tty0' rem_addr='async' authen_type=ASCII
service=ENABLE priv=15 initial_task_id='0', vrf= (id=0)
*Mar 1 01:51:07.219: AAA/AUTHEN/START (1384604581): port='tty0' list=''
action=LOGIN service=ENABLE
*Mar 1 01:51:07.219: AAA/AUTHEN/START (1384604581): console enable -
default to enable password (if any)
*Mar 1 01:51:07.219: AAA/AUTHEN/START (1384604581): Method=ENABLE
R3#
*Mar 1 01:51:07.219: AAA/AUTHEN(1384604581): can't find any passwords
*Mar 1 01:51:07.219: AAA/AUTHEN(1384604581): Status=ERROR
*Mar 1 01:51:07.223: AAA/AUTHEN/START (1384604581): Method=NONE
*Mar 1 01:51:07.223: AAA/AUTHEN(1384604581): Status=PASS
*Mar 1 01:51:07.223: AAA/MEMORY: free_user (0x66055A94) user='NULL'
ruser='NULL' port='tty0' rem_addr='async' authen_type=ASCII service=ENABLE
priv=15 vrf= (id=0)
 --
Garry L. Baker

"With sufficient thrust, pigs fly just fine..." - RFC 1925

On Tue, May 17, 2011 at 2:54 AM, ALL From_NJ <all.from.nj_at_gmail.com> wrote:

> Hey team,
>
> I am trying to study a bunch of things tonight, and figured I would 'punt'
> this one to the group to see if anyone has a good link or anything.
>
> Question - when I configure aaa for a particular method, for example ssh,
> ppp, or whatever, and I create a new list name, will this affect the
> default
> list in any way?
>
> For example, lets say I create a list called ppp, but do not change the
> default and only specify my new list on my ppp interfaces. Is the default
> still in effect for the console, web, or vty ports?
>
> My testing says yes, but you know (LOL!!!)... perhaps I am missing
> something
> also (would not be the first time ;-)). Just figured I would send this out
> there to see if anyone had additional comments or thoughts.
>
> Any good suggestions for links?
>
> TIA,
>
> --
> Andrew Lee Lissitz
> all.from.nj_at_gmail.com
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Tue May 17 2011 - 04:06:05 ART