AAA authentication login novice question

Unanswered Question
Apr 26th, 2008
User Badges:

Hi, 2 questions about AAA authentication since i'm quite confused with the available documentation and currently i have no devices available to test :

1) when "aaa new model" entered does login authentication immediately applies to all lines and defaults to router's local database (without any other command needed)?

2)if configure "aaa authentication login default none" does this mean that in vty (when no command applied to vty) no authentication is performed; telnet succeeds without any authentication?

Thanks

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (2 ratings)
Loading.
guruprasadr Sun, 04/27/2008 - 12:06
User Badges:
  • Gold, 750 points or more

HI, [Pls Rate if HELPS]


Answer to Question:1

======================


The first command, aaa new-model, tells the router that you are using either TACACS+ or RADIUS for authentication.


FYI, If you do not want the console to authenticate with tacacs then try configuring this:


aaa authentication login consoleauth line

line con 0

login authentication consoleauth


To configure AAA authentication, perform the following tasks:


1. Enable AAA by using the aaa new-model global configuration command.


2. Configure security protocol parameters, such as RADIUS, TACACS+, or Kerberos if you are using a security server.


3. Define the method lists for Authentication by using an AAA authentication command.


4. Apply the method lists to a particular interface or line, if required.


Answer to Question:2

======================


"aaa authentication login default none" command to get access to Router via Console / VTY without authentication. The List must all be applied to the Line / Con / Interface.


'none' means Uses no authentication.


Note: Normally we authorize all commands through TACACS+, but if the server is down, no authorization is necessary, hence the 'none'


The 'none' keyword enables any user logging in to successfully authenticate, it should be used only as a backup method of authentication.


Hope I am Informative.


Please RATE if HELPS


Best Regards,


Guru Prasad R

Jagdeep Gambhir Mon, 04/28/2008 - 05:12
User Badges:
  • Red, 2250 points or more

Hi,

1).It will be applied to all interfaces on incase you did not remove aaa commands individually.


For Example you have these in your router,

aaa new-model

aaa authentication login default group tacacs local


Now you disabled aaa by issuing command

no aaa new-model


Everything related to aaa would be disabled.



Then if you enter aaa new-model command again , all previous aaa entries would be enabled.


So best way to remove aaa is by ,

no aaa authentication login default group tacacs local

no aaa new-model


2). Yes if you use "none" then no authentication check will be performed and user will be authenticated without any check.


Regards,

~JG


Do rate helpful posts

Actions

This Discussion