Re: AAA

Jay link is dead, but great solution man.

BR

Sent from my iPhone on 3

On 12 May 2012, at 13:09, Jay McMickle <jay.mcmickle_at_yahoo.com> wrote:

> Mohammad,
> My point was that both lines can't co-exist. One will override the
> other. You will need to put the "none" at the end of the aaa statement to
> fall back to none. You may have the word "login" under your vty or console
> which would conflict with your login def local, and force it to use the local
> authentication.
>
> HOU-SW1(config)#aaa authentication login def local line
> HOU-SW1(config)#do sh run | in aaa
> aaa new-model
> aaa authentication login
> default local line
> aaa session-id common
> HOU-SW1(config)#
> HOU-SW1(config)#aaa
> authentication login def local line none
> HOU-SW1(config)#
> HOU-SW1(config)#do
> sh run | in aaa
> aaa new-model
> aaa authentication login default local line none
> aaa session-id common
>
>
> For your second question, you would have to write the
> commands using an authentication list of commands. PRIV1 would limit them
> from entering config t, but PRIV15, applied with a limited list of permissible
> commands to execute, would meet your requirements. It's pretty entailed, but
> here's a link to help. Step 2, page 3 should help get you started.
> http://www.kellywalsh.org/teacher_pages/duane_reimer/ccnp/student/ccnp_2/en_C
> CNP2_v30/PDF/lab_11_3_2.pdf
>
>
> Regards,
> Jay McMickle- CCIE #35355
>
>
> From:
> Mohammad Mousa <mohd-mousa_at_hotmail.com>
> To: Jay McMickle
> <jay.mcmickle_at_yahoo.com>
> Cc: "ccielab_at_groupstudy.com"
> <ccielab_at_groupstudy.com>
> Sent: Friday, May 11, 2012 3:49 PM
> Subject: Re: AAA
> Hi Jay
>
> My first question is, when i used the two separate statement .. Why I
> can't access the router even I put wrong username and password ?
> The
> second one, I need to create username George password George for example.i
> want to give him only to enter the confg mode and interface mode and don't
> anything else . Why this cant' happen unless you telnet the
> router. Why you can't make it from the console if you login with same username
> ! Thanks a lot jay,
> apprcieate that.
> On May 11, 2012, at 11:29 PM, "Jay McMickle"
> <jay.mcmickle_at_yahoo.com> wrote:
>
>> I might have misunderstood your 1st
> question, but when you enter both lines you put, the second overrides the
> first (only showing the 2nd line).
>>
>> If you want it to fall back, use-
>>
> ....local def line none (on the same line)
>>
>> Second question-
>> Priv 1 and
> 15 are the only ones that work.
>>
>> Regards,
>> Jay McMickle- CCIE #35355
>>
> Sent from iJay
>>
>> On May 11, 2012, at 12:58 PM, <mohd-mousa_at_hotmail.com>
> wrote:
>>
>>> Hi guys,
>>>
>>> I have two qestions regarding the aaa
> authentication,
>>>
>>> first, when i do the following commmand
>>> -aaa
> authentication login default local
>>> -aaa authentication login default none
>>>
>>> guys, i know that the first statment will authenticate based on the
> username
>>> and password defined on the local database of the router.
>>>
> Second statment i used it to avoid lock my self of the router.
>>>
>>> When i
> get out the router and get in, it will ask me the username and password.
>>>
> and can't get in ( if i don't put the username and pass).
>>> my question is
> should i access the router even without authentication as the
>>> second
> statment said.
>>>
>>>
>>>
>>> Second, i know there are two level (8 for the
> usermode , 15 for the conf mode)
>>>
>>> i have the following command
>>>
> usename k privileage 9 pass k
>>> privielage exe level 9 configure terminal
>>>
> privielage configure level 9 interface
>>> aaa authorization exec default local
>>>
>>> Why this command only work when i telnet to this router, while itsn't
> working
>>> when i get through the console ?
>>>
>>> when i get through the
> telnet
>>> show privi ---- he gave me level 9 (after i put the username &
> pass) it worked
>>> fine
>>> when i get through the console
>>> show privi ----
> it gave me level 15 ( after i put the usename & pass )
>>>
>>> Thanks in
> advance
>>>
>>>
>>> Blogs and organic groups at http://www.ccie.net
>>>
>>>
> _______________________________________________________________________
>>>
> Subscription information may be found at:
>>>
> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>> Blogs and organic groups
> at http://www.ccie.net
>>
>>
> _______________________________________________________________________
>>
> Subscription information may be found at:
>>
> http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Sat May 12 2012 - 13:14:40 ART