Password set for logging into Console

Unanswered Question
Apr 24th, 2008
User Badges:

I have most of my customers Network Devices set to use tacacs+ thru an ACS server to authenticate Remote Admins whom ssh to these devices.

I was attempting to set up a cryptic password as the authentication means for Console access to any of the devices. This in case we have to log into any of the devices locally, and the ACS server not being available for any reason.

I used the IOS command "password" and then configured a Password. However when testing, the devices all still ask for a username when I connect to a console port to login.

Is there any reason this would be happening?

Thanks

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.2 (4 ratings)
Loading.
Jagdeep Gambhir Thu, 04/24/2008 - 13:24
User Badges:
  • Red, 2250 points or more

Remove the login local command under the

line console configuration.



Router(config)#line con 0

Router(config-line)#no login local



Regards,

~JG


Do rate helpful posts

Jagdeep Gambhir Fri, 04/25/2008 - 04:51
User Badges:
  • Red, 2250 points or more

Please mark it resolved , so other can benefit from it.



Richard Burts Fri, 04/25/2008 - 08:20
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

If I have understood the original post then I do not believe that it is an issue of login local. If aaa new-model is configured so that the vty will authenticate to ACS then it also means that the console will authenticate with the default authentication method - which is probably set to TACACS.


If you do not want the console to authenticate with tacacs then try configuring this:

aaa authentication login consoleauth line

line con 0

login authentication consoleauth


HTH


Rick

Jagdeep Gambhir Fri, 04/25/2008 - 09:04
User Badges:
  • Red, 2250 points or more

Opps sorry my bad.



Rick is 100% correct here, we need to make method list for console.



Thanks for correction Rick






Richard Burts Fri, 04/25/2008 - 09:19
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

JG


no problem. we all help to keep each other straight. that is part of what makes the forum so very good.


HTH


Rick

Kevin Melton Sat, 04/26/2008 - 05:21
User Badges:

Gentlemen


Let me take this a step furthur. If I configure the following statement, does this not roll back the local userbase if in fact tacacs does not respond?

aaa authentication default group tacacs local

I had moved forward and configured this on not only the vty lines (which are the most vulnerable to UA attempts), but on the console line as well by using:

router#line con 0

router-line#login authentication default


Thanks for the both of your participation in this. I look forward to your response. I want my customers networks to be as secure as possible.

Kevin

Richard Burts Sat, 04/26/2008 - 13:51
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Kevin


Perhaps it is a terminology thing but I am not clear what you are asking when you say:"does this not roll back the local userbase if in fact tacacs does not respond".


So let me respond by saying what that command will do.

aaa authentication default group tacacs local

will attempt to authenticate with configured tacacs server(s) and if there is no response from tacacs or if the response from tacacs is error (note that fail is a very different response than error) then it will attempt to authenticate with locally configured userID and password. If attempting local authentication and if the entered userID does not exist in the locally configured set of users or if the entered password does not match the configured password for the userID entered then authentication will fail.


HTH


Rick

Kevin Melton Sat, 04/26/2008 - 18:07
User Badges:

Yes my terminology may be not as concise as it should have been. Your answer however is a great and thorough answer, Rick. In the event that the tacacs daemon (in my case the ACS box) cannot be reached because he is down, then the local username and password (which I had called a userbase incorrectly i suppose) will be used. Whereas if tacacs does respond and it is a REJECT, then the user is not authenticated and is not allowed access.

Great job!

Kevin

Richard Burts Sun, 04/27/2008 - 17:41
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Kevin


Thank you for the compliment. I am really gratified when someone expresses appreciation for my response.


I try to not say that someone's terminology is wrong because they may be speaking in some context I am not familiar with or have something in their background that gives the term meaning. So if I do not understand it I generally say it is not clear to me and ask for clarification. In this case I was pretty clear what you meant with userbase. What I did not understand was ROLL BACK the userbase.


I am glad that I was able to explain the functionality in a way that made sense to you.


HTH


Rick

Actions

This Discussion