Beginners question on AAA

Unanswered Question
May 1st, 2008
User Badges:

folks


i'm trying to get my head around some AAA concepts and i'm finding the documentation a bit confusing as it doesn't explain some of the core concepts (well not simply enough for me!)


if i define the line


aaa authentication login ConsoleIn local


i know that loca will refer to the local database but where is the group ConsoleIn referred to in the config


is it in the con0 config where i would declare


aaa authentication ConsoleIn


if so, does this not mean anyone declared in the local dbase is not entitled to console access


thanks to anyone taking the time to reply

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Richard Burts Thu, 05/01/2008 - 12:08
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Michael


You have it just about right. If you configure:

aaa authentication login ConsoleIn local

you are creating a named method (where ConsoleIn is the name) and it will authenticate attempts to login using the locally configured userIDs and password.


The name must be used somewhere in the config to indicate what is using this method. The name suggests that it would be configured under line con 0 to specify authentication on the console. But it logically could be configured under line vty 0 4.


And yes it does mean that someone who is not in the local database in not entitled to console access.


HTH


Rick

mulhollandm Thu, 05/01/2008 - 12:14
User Badges:

rick


many thanks for your reply, its greatly appreciated - i have my snd exam tomorrow so i'm doing some late cramming!


can i ask another question if you don't mind


if i declare 4 names in the local database and i point the ConsoleIn method to this, is there any way to restrict console access to only 2 of the 4 declared usernames?


apologies if this sounds naive but ....

Richard Burts Fri, 05/02/2008 - 05:30
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Michael


I am not aware of any way that you can restrict access to the console to only some of the configured local userIDs.


Good luck on the SND exam.


HTH


Rick

mulhollandm Sat, 05/03/2008 - 04:16
User Badges:

rick


many thanks for your help


i passed the snd (1000/1000!)


thanks for your help

Richard Burts Sat, 05/03/2008 - 08:34
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Michael


Congratulations on passing the SND test.


HTH


Rick

Actions

This Discussion