Configure Local User-Specific Password

Unanswered Question
Aug 18th, 2010
User Badges:

I have a Cisco 3825 running IOS c3825-advsecurityk9-mz.124-22.YB5.bin


I'm trying to use the 'login local' command for the usernames I have created on the router for the aux, con and vty lines.


But when I try to configure the line, the command login is available to me.  But 'local' is not an available option.


Can anyone tell me if I should or shouldn't have available to me.


Thanks

Roger

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
vragotha Wed, 08/18/2010 - 17:06
User Badges:
  • Silver, 250 points or more

Are you using AAA?


It won't let you configure login local on the vty line

towerclear Thu, 08/19/2010 - 06:39
User Badges:

yes AAA is in my configuration.


can the same also be said, in addition to the vty line, the con 0, aux, etc lines as well, that login local is not available?


so both AAA and login local cannot be used at the same time?

vragotha Thu, 08/19/2010 - 09:59
User Badges:
  • Silver, 250 points or more

You will need to specify the command through AAA.


Have you tried

aaa authentication login default local

towerclear Thu, 08/19/2010 - 11:14
User Badges:

Vijay,


I have read documentation from Cisco and from google searches regarding the addition of your proposed command.  I have not tried it yet.


Currently the aaa section of my config for my router has this:


aaa new-model

aaa local authentication attempts max-fail 3

!

!

aaa authentication login default group tacacs+ local enable

aaa authentication login Jay none

aaa authentication login towerclear none

aaa authentication enable default group tacacs+ enable

aaa authorization console

aaa authorization exec local_author none

aaa authorization network default none

!

!

aaa session-id common


Unfortunaely my knowledge of aaa is limited and I'm having a hard time getting a grasp of it.  I know for sure that my router does not use any tacacs+ or radius but those command were put it for some reason.  I know that the only access is by the usernames and password I have created on to router device itself.


So will adding "aaa authentication login default local" have any impact on the other aaa authentication listed in my config?  i think the answer is no if i recall correctly from the reading i've done.


Thanks

Roger

vragotha Thu, 08/19/2010 - 12:51
User Badges:
  • Silver, 250 points or more

Roger,


If you are not using TACACS, you can remove all the AAA commands and use login local under the vty lines


If you want to keep the commands, go ahead and use 'aaa authentication login default local'

towerclear Thu, 08/19/2010 - 12:59
User Badges:

Vijay,


Technically I'm not using TACACS but I think I want to keep that line there.


If I add 'aaa authentication login defualt local' what will that do?  does it affect all the lines, e.g. con 0, aux, vty, tty?  Or do I configure them individually?  I have to make sure the tty isn't effected.  I have a modem card installed into my routers for outside sites to dial into to transmit data.


thanks

roger

vragotha Thu, 08/19/2010 - 13:21
User Badges:
  • Silver, 250 points or more

Roger,

'aaa authentication login default local', and a local username

and password configured will apply to all access to the device. You

don't need to configure anything on the lines individually

towerclear Thu, 08/19/2010 - 14:22
User Badges:

Vijay,


Based on your last response, will that effect the tty lines that recieve connections requiring a login and password?


Thanks

Roger

vragotha Thu, 08/19/2010 - 14:38
User Badges:
  • Silver, 250 points or more

It should affect the tty as well.

towerclear Thu, 08/19/2010 - 15:13
User Badges:

Vijay,


Thanks,  that's what I was afraid of.  Then I cannot put it in.


Roger

vragotha Thu, 08/19/2010 - 16:52
User Badges:
  • Silver, 250 points or more

I'd simply backup the AAA configurations and remove them for now. Use them later if you need.

towerclear Sun, 08/22/2010 - 17:50
User Badges:

Vijay,


The whole reason for the post was for a vulnerability for the local login.  The remediation simple states that I need to enter this command for the line(s) con 0, vty, etc:


hostname(config-line)# password LINE_PASSWORD


When I do "password ?" at the prompt the options are:


0, unencrypted

7, hidden

LINE, unencrypted


is there something I'm missing where the password can be encrypted?


thanks

Richard Burts Sun, 08/22/2010 - 21:14
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Roger


If we can get a clear understanding of what your requirements are I believe that there are options for configuration that can accomplish them. If you want your vty and console to authenticate differently from what the tty uses for authentication this is quite possible (and I have done it for a customer). You configure one (perhaps tty) to use the default authentication method, and then you configure a different authentication method and configure vty and console to use that method.


Yes there is an option to get the passwords for vty and console to be encrypted. Use service password-encryption (in global configuration mode) and the passwords will be encrypted.


HTH


Rick

Actions

This Discussion

Related Content