Re: AAA Default and Lists from ALL From_NJ on 2011-05-16 (Ccielab archives 05/2011)

From: ALL From_NJ <all.from.nj_at_gmail.com>
Date: Mon, 16 May 2011 22:04:46 -0400

Super duper cool guys, many thanks. I have spent much of the night playing
with AAA.

The link is quite helpful, and it spells it out right there. Nice! I
appreciate you sharing this.

Frog - interesting to hear other applications are affected. There always
seems to be something else involved ... I am glad i asked, and thanks for
answering!!!!!

Gary - this is great! Nice to see the debugs. I just recreated your test
as well ... I see the same thing.

Gary and Ted - thanks for the long and short link ;-) ... lol, it is all
good.

Thanks again!

.
On Mon, May 16, 2011 at 9:24 PM, Ted Sell <tedsell_at_gmail.com> wrote:

> Is there some reason the contributors of this list never shorten these long
> URls?
> This link below link could be:
>
> http://goo.gl/ubpGP
>
> Just wondering
> Cheers,
> Ted
>
>
>
> On 5/16/2011 9:06 PM, garry baker wrote:
>
>> there is some good documentation in the command reference which states,
>> "On
>> the console, login will succeed without any authentication checks if *
>> default* keyword is not set"
>>
>>
>>
>> http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_a1.html#wp1088074
>>
>> i did a test with a debug, and interesting things i see without the 'aaa
>> authentication login default local' set explicitly you get a method on the
>> line vty called 'Permanent Local' and on the console 'Permanent None'
>>
>> aaa authentication login default local
>> aaa authentication login CONSOLE none
>> aaa authentication login VTY local
>> R3(config)#do sh run | s line
>> line con 0
>> exec-timeout 0 0
>> logging synchronous
>> login authentication CONSOLE
>> line aux 0
>> line vty 0 4
>> R3(config)#do sh debug
>> General OS:
>> AAA Authentication debugging is on
>> R3(config)#
>> *Mar 1 01:44:02.859: AAA/BIND(00000008): Bind i/f
>> *Mar 1 01:44:02.863: AAA/AUTHEN/LOGIN (00000008): Pick method list
>> 'default'
>>
>> R3(config)#no aaa authentication login default local
>> R3(config)#
>> *Mar 1 01:44:56.595: AAA/BIND(00000009): Bind i/f
>> *Mar 1 01:44:56.599: AAA/AUTHEN/LOGIN (00000009): Pick method list
>> 'Permanent Local'
>> R3(config)#line vty 0 4
>> R3(config-line)#login authentication VTY
>> R3(config-line)#
>> *Mar 1 01:45:51.691: AAA/BIND(0000000A): Bind i/f
>> *Mar 1 01:45:51.695: AAA/AUTHEN/LOGIN (0000000A): Pick method list 'VTY'
>>
>> WITH THE DEFAULT CONSOLE config:
>> R3(config-line)#do sh run | s line
>> line con 0
>> exec-timeout 0 0
>> logging synchronous
>> line aux 0
>> line vty 0 4
>> login authentication VTY
>> *Mar 1 01:51:05.899: AAA/BIND(0000000C): Bind i/f
>> *Mar 1 01:51:05.903: AAA/AUTHEN/LOGIN (0000000C): Pick method list
>> 'Permanent None'
>> *Mar 1 01:51:07.215: AAA: parse name=tty0 idb type=-1 tty=-1
>> *Mar 1 01:51:07.215: AAA: name=tty0 flags=0x11 type=4 shelf=0 slot=0
>> adapter=0 port=0 channel=0
>> *Mar 1 01:51:07.215: AAA/MEMORY: create_user (0x66055A94) user='NULL'
>> ruser='NULL' ds0=0 port='tty0' rem_addr='async' authen_type=ASCII
>> service=ENABLE priv=15 initial_task_id='0', vrf= (id=0)
>> *Mar 1 01:51:07.219: AAA/AUTHEN/START (1384604581): port='tty0' list=''
>> action=LOGIN service=ENABLE
>> *Mar 1 01:51:07.219: AAA/AUTHEN/START (1384604581): console enable -
>> default to enable password (if any)
>> *Mar 1 01:51:07.219: AAA/AUTHEN/START (1384604581): Method=ENABLE
>> R3#
>> *Mar 1 01:51:07.219: AAA/AUTHEN(1384604581): can't find any passwords
>> *Mar 1 01:51:07.219: AAA/AUTHEN(1384604581): Status=ERROR
>> *Mar 1 01:51:07.223: AAA/AUTHEN/START (1384604581): Method=NONE
>> *Mar 1 01:51:07.223: AAA/AUTHEN(1384604581): Status=PASS
>> *Mar 1 01:51:07.223: AAA/MEMORY: free_user (0x66055A94) user='NULL'
>> ruser='NULL' port='tty0' rem_addr='async' authen_type=ASCII service=ENABLE
>> priv=15 vrf= (id=0)
>> --
>> Garry L. Baker
>>
>> "With sufficient thrust, pigs fly just fine..." - RFC 1925
>>
>>
>>
>> On Tue, May 17, 2011 at 2:54 AM, ALL From_NJ<all.from.nj_at_gmail.com>
>> wrote:
>>
>> Hey team,
>>>
>>> I am trying to study a bunch of things tonight, and figured I would
>>> 'punt'
>>> this one to the group to see if anyone has a good link or anything.
>>>
>>> Question - when I configure aaa for a particular method, for example ssh,
>>> ppp, or whatever, and I create a new list name, will this affect the
>>> default
>>> list in any way?
>>>
>>> For example, lets say I create a list called ppp, but do not change the
>>> default and only specify my new list on my ppp interfaces. Is the
>>> default
>>> still in effect for the console, web, or vty ports?
>>>
>>> My testing says yes, but you know (LOL!!!)... perhaps I am missing
>>> something
>>> also (would not be the first time ;-)). Just figured I would send this
>>> out
>>> there to see if anyone had additional comments or thoughts.
>>>
>>> Any good suggestions for links?
>>>
>>> TIA,
>>>
>>> --
>>> Andrew Lee Lissitz
>>> all.from.nj_at_gmail.com
>>>
>>>
>>> Blogs and organic groups at http://www.ccie.net
>>>
>>> _______________________________________________________________________
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html
>>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>

-- 
Andrew Lee Lissitz
all.from.nj_at_gmail.com
Blogs and organic groups at http://www.ccie.net

Received on Mon May 16 2011 - 22:04:46 ART

This archive was generated by hypermail 2.2.0 : Wed Jun 01 2011 - 09:01:11 ART