AAA and vty authentication

Answered Question
Apr 14th, 2007
User Badges:

If i have got this configuration :


RouterA#show config

username forum password 0 A34@#

aaa new-model

aaa authentication login LETMEIN local

aaa authentication TO_CONSOLE group tacacs+ local





line con 0

login authentication TO_CONSOLE


line vtu 0 3

password class

login authentication LETMEIN


Based on the configuration shown above, users that telnet into the router are to be authenticated via the AAA line labeled "LETMEIN". This line says that the local user database should be used, so users that enter "forum" as the username, and "A34@#" as the password will be granted access to the router.


What will be the use of the password : " class" , Do we need it?



Correct Answer by Craig Balfour about 10 years 3 months ago

This password is known as the line password as it is configured on the line interface. In your configuration it is not used at all and can probably be removed.


This password is used as the login password when you are not using "aaa new-model". This password is probably left over from the days before you used AAA for authentication on the device.


If you wanted to you could add the line password to your aaa authentication line:


aaa authentication login LETMEIN local line


... in which case, telnet access would use local usernames and passwords but if these were unavailable for some reason (perhaps because you forgot to create them or accidentally deleted them) the device could fall back to using the line password for authentication. This is not really that useful as one mostly uses local as a backup for a network-based authentication source such as tacacs+ in case the tacacs+ server is unreachable via the network which is far more likely than a problem occurring with your local user accounts.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
Correct Answer
Craig Balfour Sat, 04/14/2007 - 09:04
User Badges:
  • Bronze, 100 points or more

This password is known as the line password as it is configured on the line interface. In your configuration it is not used at all and can probably be removed.


This password is used as the login password when you are not using "aaa new-model". This password is probably left over from the days before you used AAA for authentication on the device.


If you wanted to you could add the line password to your aaa authentication line:


aaa authentication login LETMEIN local line


... in which case, telnet access would use local usernames and passwords but if these were unavailable for some reason (perhaps because you forgot to create them or accidentally deleted them) the device could fall back to using the line password for authentication. This is not really that useful as one mostly uses local as a backup for a network-based authentication source such as tacacs+ in case the tacacs+ server is unreachable via the network which is far more likely than a problem occurring with your local user accounts.

Actions

This Discussion