07-12-2009 04:05 PM - edited 03-10-2019 04:35 PM
I am looking for help on what happens with the below example if the TACACS server fails and you try to console into the device. I am assuming that the next order would be "aaa authentication login line-only line" but I'm not understanding what the "line-only" means. I can't find that reference in any of the docs.
aaa new-model
aaa authentication login default group tacacs+ enable
aaa authentication login line-only line
aaa authentication enable default group tacacs+ enable
aaa authorization exec default group tacacs+ if-authenticated
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
!
07-13-2009 05:27 AM
Hi Darcy,
You have two AAA groups setup; default and line-only. Depending on which one you apply to the console will determine how you authenticate. If you choose default, it will try TACACS first then fail to the enable password. If you use line-only, you will use the password assigned under the console configuration.
Hope that helps.
07-13-2009 06:15 AM
Collin,
If there are no groups assigned under the console does it go in order, enable password, password assigned under console?
line con 0
session-timeout 5
password 7 XXXXXXX
Thanks!
07-13-2009 06:27 AM
If there is no AAA group assigned, it will not use a password to enter user mode, it will just let you in. To enter privilege mode, you will have to enter the enable password. It's a good practice to configure AAA and use local authentication as a minimum. That way console connections must enter a username and password to gain access.
07-17-2009 10:44 AM
Collin,
Thank you for your answer it answered my question. I got it,
Darcy
07-13-2009 06:31 AM
Hi,
We have defined "aaa authentication login default group tacacs+ enable" this will take care of telnet, http and console authentication
Now lets say you don't want console to be authenticated via tacacs, so you need to make another method list for console,
aaa authentication login line-only line
and apply it to console interface
Switch(config)#line con 0
Switch(config-line)#login authentication line-only
Now when ever you login via console it will only ask for line password.
When you login via telnet, it will first ask for tacacs user and if it is down it will prompt for enable password.
Regards,
~JG
Do rate helpful posts
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: