Re: AAA from Jay McMickle on 2012-05-12 (Ccielab archives 05/2012)

From: Jay McMickle <jay.mcmickle_at_yahoo.com>
Date: Sat, 12 May 2012 05:17:17 -0700 (PDT)

copy and paste both lines of the link. It's active.
http://www.kellywalsh.org/teacher_pages/duane_reimer/ccnp/student/ccnp_2/en_C
CNP2_v30/PDF/lab_11_3_2.pdf

Regards,
Jay McMickle- CCIE #35355

From: Tony
Singh <mothafungla_at_gmail.com>
To: Jay McMickle <jay.mcmickle_at_yahoo.com>
Cc:
Mohammad Mousa <mohd-mousa_at_hotmail.com>; "ccielab_at_groupstudy.com"
<ccielab_at_groupstudy.com>
Sent: Saturday, May 12, 2012 7:14 AM
Subject: Re:
AAA

Jay link is dead, but great solution man.

Sent from my iPhone on 3
On 12 May 2012, at 13:09, Jay McMickle <jay.mcmickle_at_yahoo.com> wrote:

>
Mohammad,
> My point was that both lines can't co-exist. One will override
the
> other. You will need to put the "none" at the end of the aaa statement
to
> fall back to none. You may have the word "login" under your vty or
console
> which would conflict with your login def local, and force it to use
the local
> authentication.
>
> HOU-SW1(config)#aaa authentication login def
local line
> HOU-SW1(config)#do sh run | in aaa
> aaa new-model
> aaa
authentication login
> default local line
> aaa session-id common
>
HOU-SW1(config)#
> HOU-SW1(config)#aaa
> authentication login def local line
none
> HOU-SW1(config)#
> HOU-SW1(config)#do
> sh run | in aaa
> aaa
new-model
> aaa authentication login default local line none
> aaa session-id
common
>
>
> For your second question, you would have to write the
>
commands using an authentication list of commands. PRIV1 would limit them
>
from entering config t, but PRIV15, applied with a limited list of permissible
> commands to execute, would meet your requirements. It's pretty entailed,
but
> here's a link to help. Step 2, page 3 should help get you started.
>
http://www.kellywalsh.org/teacher_pages/duane_reimer/ccnp/student/ccnp_2/en_C
> CNP2_v30/PDF/lab_11_3_2.pdf
>
>
> Regards,
> Jay McMickle- CCIE #35355
>
>
> From:
> Mohammad Mousa <mohd-mousa_at_hotmail.com>
> To: Jay McMickle
>
<jay.mcmickle_at_yahoo.com>
> Cc: "ccielab_at_groupstudy.com"
>
<ccielab_at_groupstudy.com>
> Sent: Friday, May 11, 2012 3:49 PM
> Subject: Re:
AAA
> Hi Jay
>
> My first question is, when i used the two separate
statement .. Why I
> can't access the router even I put wrong username and
password ?
> The
> second one, I need to create username George
password George for example.i
> want to give him only to enter the confg mode
and interface mode and don't
> anything else . Why this cant'
happen unless you telnet the
> router. Why you can't make it from the console
if you login with same username
> !
Thanks a lot jay,
> apprcieate that.
> On May 11, 2012, at 11:29 PM,
"Jay McMickle"
> <jay.mcmickle_at_yahoo.com> wrote:
>
>> I might have
misunderstood your 1st
> question, but when you enter both lines you put, the
second overrides the
> first (only showing the 2nd line).
>>
>> If you want
it to fall back, use-
>>
> ....local def line none (on the same line)
>>
>>
Second question-
>> Priv 1 and
> 15 are the only ones that work.
>>
>>
Regards,
>> Jay McMickle- CCIE #35355
>>
> Sent from iJay
>>
>> On May 11,
2012, at 12:58 PM, <mohd-mousa_at_hotmail.com>
> wrote:
>>
>>> Hi guys,
>>>
>>>
I have two qestions regarding the aaa
> authentication,
>>>
>>> first, when i
do the following commmand
>>> -aaa
> authentication login default local
>>>
-aaa authentication login default none
>>>
>>> guys, i know that the first
statment will authenticate based on the
> username
>>> and password defined
on the local database of the router.
>>>
> Second statment i used it to avoid
lock my self of the router.
>>>
>>> When i
> get out the router and get in,
it will ask me the username and password.
>>>
> and can't get in ( if i don't
put the username and pass).
>>> my question is
> should i access the router
even without authentication as the
>>> second
> statment said.
>>>
>>>
>>>
>>> Second, i know there are two level (8 for the
> usermode , 15 for the conf
mode)
>>>
>>> i have the following command
>>>
> usename k privileage 9 pass
k
>>> privielage exe level 9 configure terminal
>>>
> privielage configure
level 9 interface
>>> aaa authorization exec default local
>>>
>>> Why this
command only work when i telnet to this router, while itsn't
> working
>>>
when i get through the console ?
>>>
>>> when i get through the
> telnet
>>>
show privi ---- he gave me level 9 (after i put the username &
> pass) it
worked
>>> fine
>>> when i get through the console
>>> show privi ----
> it
gave me level 15 ( after i put the usename & pass )
>>>
>>> Thanks in
>
advance
>>>
>>>
>>> Blogs and organic groups at http://www.ccie.net
>>>
>>>
> _______________________________________________________________________
>>>
> Subscription information may be found at:
>>>
>
http://www.groupstudy.com/list/CCIELab.html
>>
>>
>> Blogs and organic
groups
> at http://www.ccie.net
>>
>>
>
Received on Sat May 12 2012 - 05:17:17 ART

This archive was generated by hypermail 2.2.0 : Sun Jun 17 2012 - 09:04:19 ART