aaa question for Cisco 4948

Answered Question
Jul 1st, 2010
User Badges:

Please take a look at the below commands entered on a 4948 Catalyst.  Will this prompt me to use <root> as the username and whatever password I decide to use when logging into the switch?  I'm guessing the "default group local" portion of the CL below points to root as the username in this case.

!
username root password 7 1524020217252574611E34301A0913104007
!
aaa new-model
aaa authentication login default group root local
aaa authentication fail-message ^You have failed to pass AAA login requirements!^
!
!


In other words there will be no TACACS or Radius involved with this.


Thanks,


Charlie

Correct Answer by Chetan Kumar Ress about 6 years 10 months ago

Hi


You have to use  "aaa authentication login default local" to point all authenticaiton to its local database.


Regards

Chetan Kumar

Correct Answer by John Blakley about 6 years 10 months ago

That doesn't look right to me, unless Cisco has changed the way they've done AAA on the 4900 series (which I've never used). The "group" usually indicates a radius or tacacs server, not a username. I think what's happening is that it's trying to hit a server group called root, which is assigned to some ip address, it's failing and rolling over to local which would allow you to log in as root. If you aren't using a tacacs or radius server, you should be safe in removing the group portion and using just:


aaa authentication login default local


I would HIGHLY recommend doing this in one window, and then telnetting into the device from another window to test. When messing with AAA, never make a change and logout before testing in another window; you could lock yourself out.


HTH,

John

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
John Blakley Thu, 07/01/2010 - 09:11
User Badges:
  • Purple, 4500 points or more

That doesn't look right to me, unless Cisco has changed the way they've done AAA on the 4900 series (which I've never used). The "group" usually indicates a radius or tacacs server, not a username. I think what's happening is that it's trying to hit a server group called root, which is assigned to some ip address, it's failing and rolling over to local which would allow you to log in as root. If you aren't using a tacacs or radius server, you should be safe in removing the group portion and using just:


aaa authentication login default local


I would HIGHLY recommend doing this in one window, and then telnetting into the device from another window to test. When messing with AAA, never make a change and logout before testing in another window; you could lock yourself out.


HTH,

John

gdwingnuts Thu, 07/01/2010 - 10:28
User Badges:

I will give this a try and reply back to you.


Thank you!


Charlie

gdwingnuts Thu, 07/01/2010 - 12:49
User Badges:

Your suggestions were "Spot on".  Thank you.  Now we will satisfy our Risk Assessment Scans by having AAA configured without having to have a TACACS or Radius.  Also, thanks for the heads-up with the multiple terminal session suggestion.  I locked myself out yesterday and had to break in.  All is good now.


Charlie

Correct Answer
Chetan Kumar Ress Thu, 07/01/2010 - 09:25
User Badges:
  • Silver, 250 points or more

Hi


You have to use  "aaa authentication login default local" to point all authenticaiton to its local database.


Regards

Chetan Kumar

Actions

This Discussion