AAA local authentication design issue

Unanswered Question
Jul 30th, 2009
User Badges:

I need a little help with my aaa design. here is my current design :

aaa new-model

aaa authentication login default local

aaa authentication enable default enable

aaa session-id common

username irobot secret xxxxxxx

line vty 0 4

access-class 10 in

exec-timeout 9 0

transport input ssh

When I ssh, I am challenged for a password, but not a login. If I ssh [email protected] I get the password challenge, and login with the stored password. Where have I gone wrong? I would like to ssh to the switch and be challenged for a user-name and a password. Suggestions?


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jagdeep Gambhir Thu, 07/30/2009 - 10:03
User Badges:
  • Red, 2250 points or more


Please issue login command in line vty

"login local"



Do rate helpful

poirot1967 Thu, 07/30/2009 - 10:31
User Badges:

Thanks for the response. Here is the output of that command :

(config)#line vty 0 4

(config-line)#login local


% Invalid input detected at '^' marker.

This is a 2960, running Version 12.2(44)SE5.


Jagdeep Gambhir Thu, 07/30/2009 - 10:36
User Badges:
  • Red, 2250 points or more



and then

Switch(config-line)#login local


poirot1967 Thu, 07/30/2009 - 10:43
User Badges:

#conf t

Enter configuration commands, one per line. End with CNTL/Z.

(config)#line vty 0 4


% Incomplete command.

(config-line)#login local


% Invalid input detected at '^' marker.


What it will accept is login authentication default, as I did not name my local database


leninpena Thu, 07/30/2009 - 10:54
User Badges:


I think you have to put in the vty lines

login authentication default

poirot1967 Fri, 07/31/2009 - 03:29
User Badges:

Thanks for the suggestion. I had entered that earlier. It accepted he command, but it does not appear in the sh run. From my understanding, that is the default when not using a named database.


cisco24x7 Fri, 07/31/2009 - 04:08
User Badges:
  • Silver, 250 points or more

Of course this is correct because you already entered the username with [email protected]_ip_address and it will prompt you for a password because the username is already entered. That's how ssh work. perhaps you need to read up on how ssh work. The other option is:

ssh -l irobot switch_ip_address

poirot1967 Fri, 07/31/2009 - 04:16
User Badges:

Thanks for the reply. The issue I was having is if I were to ssh, it does not challenge me for a login, only a password. I was trying to configure AAA to ask for both a login and password authenticated against the local database. I know that ssh irobot@ works, but that is not what I am aiming for. Now my assumptions (insert joke here) could be wrong.

Richard Burts Mon, 08/03/2009 - 18:55
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN


I believe that the issue is that you are initiating the SSH from a Cisco device on which you have already authenticated. I have observed that if I am logged in on a Cisco router or switch on which I have already authenticated and then use the SSH command to initiate a session to some other Cisco device that the device from which I initiate the session already supplies the user name (based on my current login) and the device to which I am initiating the session only needs my password to log me in and authenticate correctly. One good way to check this is to initiate the ssh, get the prompt for (only) the password, enter the password, in the new session enter the command who (or show user) and see if it does not correctly have your user ID already.

I am surprised and disappointed by the suggestion from Jagdeep. I usually find his responses quite correct and helpful. But in this case when you enter aaa new-model, then login local becomes the default (as you demonstrateed when you attempted to enter the command, that it is not accepted when aaa new-model is in effect).



poirot1967 Tue, 08/04/2009 - 03:39
User Badges:

Thank you for your response. When I am initiating the SSH session, I am doing so from either my laptop or workstation. I have been staring at this trying to "see" where I went wrong, and it know it has to be there. It has to be something so tiny that I am overlooking it.




This Discussion