Re: AAA

Mohammad,
My point was that both lines can't co-exist. One will override the
other. You will need to put the "none" at the end of the aaa statement to
fall back to none. You may have the word "login" under your vty or console
which would conflict with your login def local, and force it to use the local
authentication.
 
HOU-SW1(config)#aaa authentication login def local line
HOU-SW1(config)#do sh run | in aaa
aaa new-model
aaa authentication login
default local line
aaa session-id common
HOU-SW1(config)#
HOU-SW1(config)#aaa
authentication login def local line none
HOU-SW1(config)#
HOU-SW1(config)#do
sh run | in aaa
aaa new-model
aaa authentication login default local line none
aaa session-id common

For your second question, you would have to write the
commands using an authentication list of commands. PRIV1 would limit them
from entering config t, but PRIV15, applied with a limited list of permissible
commands to execute, would meet your requirements. It's pretty entailed, but
here's a link to help. Step 2, page 3 should help get you started.
http://www.kellywalsh.org/teacher_pages/duane_reimer/ccnp/student/ccnp_2/en_C
CNP2_v30/PDF/lab_11_3_2.pdf
 

Regards,
Jay McMickle- CCIE #35355
 

From:
Mohammad Mousa <mohd-mousa_at_hotmail.com>
To: Jay McMickle
<jay.mcmickle_at_yahoo.com>
Cc: "ccielab_at_groupstudy.com"
<ccielab_at_groupstudy.com>
Sent: Friday, May 11, 2012 3:49 PM
Subject: Re: AAA
Hi Jay

My first question is, when i used the two separate statement .. Why I
can't access the router even I put wrong username and password ?
The
second one, I need to create username George password George for example.i
want to give him only to enter the confg mode and interface mode and don't
anything else . Why this cant' happen unless you telnet the
router. Why you can't make it from the console if you login with same username
! Thanks a lot jay,
apprcieate that.
On May 11, 2012, at 11:29 PM, "Jay McMickle"
<jay.mcmickle_at_yahoo.com> wrote:

> I might have misunderstood your 1st
question, but when you enter both lines you put, the second overrides the
first (only showing the 2nd line).
>
> If you want it to fall back, use-
>
....local def line none (on the same line)
>
> Second question-
> Priv 1 and
15 are the only ones that work.
>
> Regards,
> Jay McMickle- CCIE #35355
>
Sent from iJay
>
> On May 11, 2012, at 12:58 PM, <mohd-mousa_at_hotmail.com>
wrote:
>
>> Hi guys,
>>
>> I have two qestions regarding the aaa
authentication,
>>
>> first, when i do the following commmand
>> -aaa
authentication login default local
>> -aaa authentication login default none
>>
>> guys, i know that the first statment will authenticate based on the
username
>> and password defined on the local database of the router.
>>
Second statment i used it to avoid lock my self of the router.
>>
>> When i
get out the router and get in, it will ask me the username and password.
>>
and can't get in ( if i don't put the username and pass).
>> my question is
should i access the router even without authentication as the
>> second
statment said.
>>
>>
>>
>> Second, i know there are two level (8 for the
usermode , 15 for the conf mode)
>>
>> i have the following command
>>
usename k privileage 9 pass k
>> privielage exe level 9 configure terminal
>>
privielage configure level 9 interface
>> aaa authorization exec default local
>>
>> Why this command only work when i telnet to this router, while itsn't
working
>> when i get through the console ?
>>
>> when i get through the
telnet
>> show privi ---- he gave me level 9 (after i put the username &
pass) it worked
>> fine
>> when i get through the console
>> show privi ----
it gave me level 15 ( after i put the usename & pass )
>>
>> Thanks in
advance
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>>
Received on Sat May 12 2012 - 05:09:03 ART