Line Console Login

Answered Question
Dec 3rd, 2010

Hello Everyone,

Since i've configured ssh on my vpn router IOS won't let me add the "login" command on line console 0. I know it's an aaa issue but im not that familar with aaa. How can i restore the login feature in line console with aaa new-model enable?

Configs:

Building configuration...

Current configuration : 5741 bytes
!
version 12.4
no service pad
service timestamps debug datetime localtime
service timestamps log datetime localtime
no service password-encryption
!
hostname my_vpn
!
boot-start-marker
boot system flash c870-advipservicesk9-mz.124-4.T8.bin
boot-end-marker
!
logging buffered 8196 debugging
enable password 1234
!
aaa new-model
!
aaa session-id common
!        
resource policy
!
clock timezone EST -5
clock summer-time EDT recurring
ip subnet-zero
ip cef
!
no ip domain lookup
ip domain name mydomain.com
!
username cisco password 0 cisco
!

snip

!
line con 0
password cisco
no modem enable
line aux 0
line vty 0 4
password abcd
transport input telnet ssh
!

Thanks

I have this problem too.
0 votes
Correct Answer by Richard Burts about 3 years 4 months ago

Cyril

The partial config that you posted shows aaa new-model but has no aaa commands that you configured. I am a little puzzled why you have entered aaa new-model but no other aaa commands. Perhaps you can clarify what is intended in the config?

The issue is that when you enable aaa new-model then aaa establishes its own default method for authenticating login. And as you discovered it then prevents you from configuring "login" on the console or vty. The default authentication in aaa is local. Since you do have a local user ID configured you should be able to login to the router using that user ID.

The solution suggested by Leo will work if you have a radius server. But I do not see anything in your original post indicating that you intend to use radius. If you are looking to just have the router authenticate the console using the console line password (which was the default before aaa new-model) then you could try something like this in your config:

aaa authentication login Console line

line console 0

login authentication Console

note that the authentication named method is case sensitive.

HTH

Rick

Correct Answer by lgijssel about 3 years 4 months ago

This can be a problem indeed.

Do you actually have a radius server? Otherwise, the command is not really usefull.

This is what I used a while ago. It lets you login via console with local authentication when radius is unavailable:


username admin privilege 15 password xxx

!

aaa new-model
aaa authentication login default group radius local
aaa authorization exec default group radius local
aaa accounting suppress null-username
aaa accounting update newinfo
aaa accounting exec default start-stop group radius
aaa accounting network default start-stop group radius
aaa accounting connection default start-stop group radius

!

radius-server host 10.12.1.2 auth-port 1645 acct-port 1646
radius-server key xxx

To login local by default, you need something like:

aaa authentication login default local

regards,

Leo

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (2 ratings)
Correct Answer
lgijssel Fri, 12/03/2010 - 11:41

This can be a problem indeed.

Do you actually have a radius server? Otherwise, the command is not really usefull.

This is what I used a while ago. It lets you login via console with local authentication when radius is unavailable:


username admin privilege 15 password xxx

!

aaa new-model
aaa authentication login default group radius local
aaa authorization exec default group radius local
aaa accounting suppress null-username
aaa accounting update newinfo
aaa accounting exec default start-stop group radius
aaa accounting network default start-stop group radius
aaa accounting connection default start-stop group radius

!

radius-server host 10.12.1.2 auth-port 1645 acct-port 1646
radius-server key xxx

To login local by default, you need something like:

aaa authentication login default local

regards,

Leo

Correct Answer
Richard Burts Fri, 12/03/2010 - 12:21

Cyril

The partial config that you posted shows aaa new-model but has no aaa commands that you configured. I am a little puzzled why you have entered aaa new-model but no other aaa commands. Perhaps you can clarify what is intended in the config?

The issue is that when you enable aaa new-model then aaa establishes its own default method for authenticating login. And as you discovered it then prevents you from configuring "login" on the console or vty. The default authentication in aaa is local. Since you do have a local user ID configured you should be able to login to the router using that user ID.

The solution suggested by Leo will work if you have a radius server. But I do not see anything in your original post indicating that you intend to use radius. If you are looking to just have the router authenticate the console using the console line password (which was the default before aaa new-model) then you could try something like this in your config:

aaa authentication login Console line

line console 0

login authentication Console

note that the authentication named method is case sensitive.

HTH

Rick

BubbleGang Sat, 12/04/2010 - 07:29

Guys,

I found this site lastnight and is actually just what you guys suggested.

http://www.freeccnaworkbook.com/labs/section-3-configuring-basic-cisco-device-security/lab-3-3-configuring-aaa-authentication-lists/

Rick,

I used aaa new-model because i use ssh with rsa to remotely login into the router.

Configs:

Building configuration...

Current configuration : 5741 bytes
!
version 12.4
no service pad
service timestamps debug datetime localtime
service timestamps log datetime localtime
no service password-encryption
!
hostname my_vpn
!
boot-start-marker
boot system flash c870-advipservicesk9-mz.124-4.T8.bin
boot-end-marker
!
logging buffered 8196 debugging
enable password 1234
!
aaa new-model
!

aaa authentication login console_authentication local
aaa authorization console

!
aaa session-id common
!        
resource policy
!
clock timezone EST -5
clock summer-time EDT recurring
ip subnet-zero
ip cef
!
no ip domain lookup
ip domain name mydomain.com
!
username cisco privilege 15 password cisco
!

snip

!
line con 0
password cisco
login authentication console_authentication
no modem enable
line aux 0
line vty 0 4
password abcd
transport input telnet ssh
!

Thanks

Cyril

Richard Burts Sat, 12/04/2010 - 11:37

Cyril

Your explanation of why you configured aaa new-model with no other aaa statements makes sense and helps us understand what is going on. I am glad that you got your problem resolved and that our suggestions were helpful in that. Thank you for marking this issue as resolved (and thanks for the points). It makes the form more useful when people can read about an issue and can know that they will find a solution to the issue. Your marking helps make this obvious to readers.

HTH

Rick

Actions

Login or Register to take actions

This Discussion

Posted December 3, 2010 at 7:30 AM
Stats:
Replies:4 Avg. Rating:5
Views:3277 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard