2600 router: struggling with AAA and user account setup

Answered Question
Jul 25th, 2008

I'm using SDM to set up an Easy VPN connection and being a newbie I'm struggling with AAA and the creation of the user account needed. The SDM wizard said I had to have AAA enabled and a user account. I found this Cisco doc using google:

http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/scfathen.html#wp1000971

and following the instructions I entered these commands into the cli:

router(config)#aaa new-model

router(config)#aaa authentication login default local

but my normal login and username and password won't work in the cli once I've done this. I have to powerdown the router and restart it to get control back.

To be honest I found the cisco instructions really hard going, I don't understand the Radius Kerberos TACACS method-list stuff so I wondered if there were any simple instructions out there to set up the user account necessary to proceed with the Easy vpn wizard in SDM.

Thanks for any pointers.

I have this problem too.
0 votes
Correct Answer by husycisco about 8 years 4 months ago

Hello Anthony,

Once you enable the aaa new-model, all previous authentication mechanisms applied to lines invalid. Thats why you should do one of the following

Do not issue "aaa authentication login default local" or if you are forced to by SDM, either create a username for yourself with high priv, because that command will effect console or VTY lines which their authentication is left default, and ask username and password whenever you login or you can create a list which has "none" as a method and apply to console line to ignore console authentication.

username anthony priv 15 password xxxx

Once you enter a username as above, you can login via console with that username and pass if "aaa authentication login default local" is issued.

Radius and Tacacs methods are servers that has the ability to contain usernames with more advanced configurations. For a simple authentication you can use local authentication, that why you dont have to mess up with Radius or Tacacs at the moment.

Regards

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
husycisco Sat, 07/26/2008 - 08:36

Hello Anthony,

Once you enable the aaa new-model, all previous authentication mechanisms applied to lines invalid. Thats why you should do one of the following

Do not issue "aaa authentication login default local" or if you are forced to by SDM, either create a username for yourself with high priv, because that command will effect console or VTY lines which their authentication is left default, and ask username and password whenever you login or you can create a list which has "none" as a method and apply to console line to ignore console authentication.

username anthony priv 15 password xxxx

Once you enter a username as above, you can login via console with that username and pass if "aaa authentication login default local" is issued.

Radius and Tacacs methods are servers that has the ability to contain usernames with more advanced configurations. For a simple authentication you can use local authentication, that why you dont have to mess up with Radius or Tacacs at the moment.

Regards

Actions

This Discussion