login prompt

Answered Question
Aug 12th, 2008
User Badges:

Hello,


If I have my con, aux and vty lines configured with password and "login" before, once I add tacacs to the router, the word "login" disappeared from the config under the con,aux and vty lines.


From the command lookup tool, it says login cannot be used with tacacs and it suggests "login authentication default" command instead.


My question is, after I added tacacs and my "login" disappeared, if I didn't add "login authentication default", what will happen? My tacacs comes from the WAN interface, so if my WAN interface goes down, and if I don't have the "login authentication default" under the lines and the passwords were set, what will happen? Will I still be able to login to the router such as going thru modem via aux port? Will I get prompted for entering password? or will I get lockout and won't be able to get in the router altogether?


thanks for your help.


Correct Answer by Richard Burts about 8 years 8 months ago

Joyce


I am glad that you appreciate my explanations. I like to do them and I really enjoy it when others appreciate them and find them useful.


Here are my responses to your points:

1) yes it is already activated. No you do not need to add it if you are accepting the default. Yes all three (console, aux, vty) will operate with the default if you do not configure login authentication ... under those three lines.

2) This is a bit subtle. Cisco has a long history of allowing you to configure things that are the default. Why does it allow you to configure "speed auto" and "duplex auto" on FastEthernet interfaces, or why does it allow you to configure "keepalive 10" on serial interfaces, or why does it allow you to configure "ip routing" on a router? Essentially it allows you to configure the default so that you can restore the default if you have changed it and want to go back. So if you had configured login authentication console and then decided it was not useful and you want to go back then you can configure login authentication default.

3) Yes if you want to have a different login method then it takes 2 commands to do that. One is the login authentication command under the line and the second is to define the aaa authentication login


So I think that you pretty well get it.


HTH


Rick

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Richard Burts Tue, 08/12/2008 - 14:20
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Joyce


There are several parts to cover in answering your question.

- when you configure aaa new-model to implement TACACS (or Radius) then login becomes the default on the interfaces and you can not change it. You do not see it in the running config, but it is effective on each of the interfaces.

- there are default authentication methods that you can use (login authentication default points to that default method) or you can create your own special authentication methods. For example you might want to authenticate on the console differently than you do on the vty. So you might configure login authentication console under the console and configure login authentication vty uner the vty.

- there are several authentication actions that you may specify including group tacacs+ for tacacs, or local to use locally configured user ID and password, or line to use the configured line passwords. The first action that you specify will be the primary and if there is an error in it (server not available for example) you can specify a backup method.

- you can configure this is you want your default to be authentication with TACACS and a backup of line password

aaa authentication login default group tacacs+ line

and you could configure this if you wanted authentication on the console to only authenticate with a local configured user ID and password

aaa authentication login console local

and you could configure this is you wanted authentication on the vty to try TACACS and as a backup to use the line password

aaa authentication login vty tacacs+ line


If you were to configure authentication with TACACS and not provide a backup method when you attempt to login and the server is not available you would be locked out of the router. So it is quite important to configure a backup method.


HTH


Rick

blackladyJR Tue, 08/12/2008 - 14:52
User Badges:

Hi Rick,


Thank you so much for your detailed excellent explanation. I really appreciate it as it is really very useful.


If I understand correctly, does that mean the following?


1. As you said the login is already activated on con/aux/vty as soon as I added aaa new-model, so I do not need to add "login authenication default or console or vty" under line con/aux/vty, is that correct? So all 3 lines will just take my default method under global aaa authentication login default if I do not configure any login command under those 3 lines.

2. If #1 is correct, then why do we even bother to have this command available? "login authenication default" if it does exactly the same thing if we don't enter this to the line interfaces? So enter or not enter has the same effect?

3. If I do want to have different login method for console for example, then I need 2 commands to do that. One is to define the global aaa authentication login console . the second command will be under line con 0, add login authentication console. Is that correct?


thank you again,

Joyce


Correct Answer
Richard Burts Tue, 08/12/2008 - 17:45
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Joyce


I am glad that you appreciate my explanations. I like to do them and I really enjoy it when others appreciate them and find them useful.


Here are my responses to your points:

1) yes it is already activated. No you do not need to add it if you are accepting the default. Yes all three (console, aux, vty) will operate with the default if you do not configure login authentication ... under those three lines.

2) This is a bit subtle. Cisco has a long history of allowing you to configure things that are the default. Why does it allow you to configure "speed auto" and "duplex auto" on FastEthernet interfaces, or why does it allow you to configure "keepalive 10" on serial interfaces, or why does it allow you to configure "ip routing" on a router? Essentially it allows you to configure the default so that you can restore the default if you have changed it and want to go back. So if you had configured login authentication console and then decided it was not useful and you want to go back then you can configure login authentication default.

3) Yes if you want to have a different login method then it takes 2 commands to do that. One is the login authentication command under the line and the second is to define the aaa authentication login


So I think that you pretty well get it.


HTH


Rick

blackladyJR Wed, 08/13/2008 - 05:41
User Badges:

Rick,


Yes, very appreciate for help and explanation once again. This is very clear. Thank you again!


Joyce

Richard Burts Wed, 08/13/2008 - 07:14
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Joyce


I am glad that my explanations have helped you to understand these issues better. Thank you for using the rating system to indicate that your questions were resolved (and thanks for the rating). It makes the forum more useful when people can read a question and can know that there were responses which did resolve the question.


The forum is an excellent place to learn about Cisco networking. I encourage you to continue your participation in the forum.


HTH


Rick

Actions

This Discussion