aaa question for Cisco 4948

Answered Question
Jul 1st, 2010

Please take a look at the below commands entered on a 4948 Catalyst.  Will this prompt me to use <root> as the username and whatever password I decide to use when logging into the switch?  I'm guessing the "default group local" portion of the CL below points to root as the username in this case.

!
username root password 7 1524020217252574611E34301A0913104007
!
aaa new-model
aaa authentication login default group root local
aaa authentication fail-message ^You have failed to pass AAA login requirements!^
!
!

In other words there will be no TACACS or Radius involved with this.

Thanks,

Charlie

I have this problem too.
0 votes
Correct Answer by Chetan Kumar Ress about 6 years 5 months ago

Hi

You have to use  "aaa authentication login default local" to point all authenticaiton to its local database.

Regards

Chetan Kumar

Correct Answer by John Blakley about 6 years 5 months ago

That doesn't look right to me, unless Cisco has changed the way they've done AAA on the 4900 series (which I've never used). The "group" usually indicates a radius or tacacs server, not a username. I think what's happening is that it's trying to hit a server group called root, which is assigned to some ip address, it's failing and rolling over to local which would allow you to log in as root. If you aren't using a tacacs or radius server, you should be safe in removing the group portion and using just:

aaa authentication login default local

I would HIGHLY recommend doing this in one window, and then telnetting into the device from another window to test. When messing with AAA, never make a change and logout before testing in another window; you could lock yourself out.

HTH,

John

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
John Blakley Thu, 07/01/2010 - 09:11

That doesn't look right to me, unless Cisco has changed the way they've done AAA on the 4900 series (which I've never used). The "group" usually indicates a radius or tacacs server, not a username. I think what's happening is that it's trying to hit a server group called root, which is assigned to some ip address, it's failing and rolling over to local which would allow you to log in as root. If you aren't using a tacacs or radius server, you should be safe in removing the group portion and using just:

aaa authentication login default local

I would HIGHLY recommend doing this in one window, and then telnetting into the device from another window to test. When messing with AAA, never make a change and logout before testing in another window; you could lock yourself out.

HTH,

John

gdwingnuts Thu, 07/01/2010 - 12:49

Your suggestions were "Spot on".  Thank you.  Now we will satisfy our Risk Assessment Scans by having AAA configured without having to have a TACACS or Radius.  Also, thanks for the heads-up with the multiple terminal session suggestion.  I locked myself out yesterday and had to break in.  All is good now.

Charlie

Correct Answer
Chetan Kumar Ress Thu, 07/01/2010 - 09:25

Hi

You have to use  "aaa authentication login default local" to point all authenticaiton to its local database.

Regards

Chetan Kumar

Actions

This Discussion