Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
16134
Views
0
Helpful
4
Replies

Line Console Login

Go to solution
BubbleGang
Level 1
Level 1

‎12-03-2010 07:30 AM

Hello Everyone,

Since i've configured ssh on my vpn router IOS won't let me add the "login" command on line console 0. I know it's an aaa issue but im not that familar with aaa. How can i restore the login feature in line console with aaa new-model enable?

Configs:

Building configuration...

Current configuration : 5741 bytes
!
version 12.4
no service pad
service timestamps debug datetime localtime
service timestamps log datetime localtime
no service password-encryption
!
hostname my_vpn
!
boot-start-marker
boot system flash c870-advipservicesk9-mz.124-4.T8.bin
boot-end-marker
!
logging buffered 8196 debugging
enable password 1234
!
aaa new-model
!
aaa session-id common
!        
resource policy
!
clock timezone EST -5
clock summer-time EDT recurring
ip subnet-zero
ip cef
!
no ip domain lookup
ip domain name mydomain.com
!
username cisco password 0 cisco
!

snip

!
line con 0
password cisco
no modem enable
line aux 0
line vty 0 4
password abcd
transport input telnet ssh
!

Thanks

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
lgijssel
Level 9
Level 9

‎12-03-2010 11:41 AM

This can be a problem indeed.

Do you actually have a radius server? Otherwise, the command is not really usefull.

This is what I used a while ago. It lets you login via console with local authentication when radius is unavailable:


username admin privilege 15 password xxx

!

aaa new-model
aaa authentication login default group radius local
aaa authorization exec default group radius local
aaa accounting suppress null-username
aaa accounting update newinfo
aaa accounting exec default start-stop group radius
aaa accounting network default start-stop group radius
aaa accounting connection default start-stop group radius

!

radius-server host 10.12.1.2 auth-port 1645 acct-port 1646
radius-server key xxx

To login local by default, you need something like:

aaa authentication login default local

regards,

Leo

View solution in original post

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to lgijssel

‎12-03-2010 12:21 PM

Cyril

The partial config that you posted shows aaa new-model but has no aaa commands that you configured. I am a little puzzled why you have entered aaa new-model but no other aaa commands. Perhaps you can clarify what is intended in the config?

The issue is that when you enable aaa new-model then aaa establishes its own default method for authenticating login. And as you discovered it then prevents you from configuring "login" on the console or vty. The default authentication in aaa is local. Since you do have a local user ID configured you should be able to login to the router using that user ID.

The solution suggested by Leo will work if you have a radius server. But I do not see anything in your original post indicating that you intend to use radius. If you are looking to just have the router authenticate the console using the console line password (which was the default before aaa new-model) then you could try something like this in your config:

aaa authentication login Console line

line console 0

login authentication Console

note that the authentication named method is case sensitive.

HTH

Rick

HTH

Rick

View solution in original post

0 Helpful
4 Replies 4

Go to solution
lgijssel
Level 9
Level 9

‎12-03-2010 11:41 AM

This can be a problem indeed.

Do you actually have a radius server? Otherwise, the command is not really usefull.

This is what I used a while ago. It lets you login via console with local authentication when radius is unavailable:


username admin privilege 15 password xxx

!

aaa new-model
aaa authentication login default group radius local
aaa authorization exec default group radius local
aaa accounting suppress null-username
aaa accounting update newinfo
aaa accounting exec default start-stop group radius
aaa accounting network default start-stop group radius
aaa accounting connection default start-stop group radius

!

radius-server host 10.12.1.2 auth-port 1645 acct-port 1646
radius-server key xxx

To login local by default, you need something like:

aaa authentication login default local

regards,

Leo

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to lgijssel

‎12-03-2010 12:21 PM

Cyril

The partial config that you posted shows aaa new-model but has no aaa commands that you configured. I am a little puzzled why you have entered aaa new-model but no other aaa commands. Perhaps you can clarify what is intended in the config?

The issue is that when you enable aaa new-model then aaa establishes its own default method for authenticating login. And as you discovered it then prevents you from configuring "login" on the console or vty. The default authentication in aaa is local. Since you do have a local user ID configured you should be able to login to the router using that user ID.

The solution suggested by Leo will work if you have a radius server. But I do not see anything in your original post indicating that you intend to use radius. If you are looking to just have the router authenticate the console using the console line password (which was the default before aaa new-model) then you could try something like this in your config:

aaa authentication login Console line

line console 0

login authentication Console

note that the authentication named method is case sensitive.

HTH

Rick

HTH

Rick
0 Helpful

Go to solution
BubbleGang
Level 1
Level 1
In response to Richard Burts

‎12-04-2010 07:29 AM

Guys,

I found this site lastnight and is actually just what you guys suggested.

http://www.freeccnaworkbook.com/labs/section-3-configuring-basic-cisco-device-security/lab-3-3-configuring-aaa-authentication-lists/

Rick,

I used aaa new-model because i use ssh with rsa to remotely login into the router.

Configs:

Building configuration...

Current configuration : 5741 bytes
!
version 12.4
no service pad
service timestamps debug datetime localtime
service timestamps log datetime localtime
no service password-encryption
!
hostname my_vpn
!
boot-start-marker
boot system flash c870-advipservicesk9-mz.124-4.T8.bin
boot-end-marker
!
logging buffered 8196 debugging
enable password 1234
!
aaa new-model
!

aaa authentication login console_authentication local
aaa authorization console

!
aaa session-id common
!        
resource policy
!
clock timezone EST -5
clock summer-time EDT recurring
ip subnet-zero
ip cef
!
no ip domain lookup
ip domain name mydomain.com
!
username cisco privilege 15 password cisco
!

snip

!
line con 0
password cisco
login authentication console_authentication
no modem enable
line aux 0
line vty 0 4
password abcd
transport input telnet ssh
!

Thanks

Cyril

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to BubbleGang

‎12-04-2010 11:37 AM

Cyril

Your explanation of why you configured aaa new-model with no other aaa statements makes sense and helps us understand what is going on. I am glad that you got your problem resolved and that our suggestions were helpful in that. Thank you for marking this issue as resolved (and thanks for the points). It makes the form more useful when people can read about an issue and can know that they will find a solution to the issue. Your marking helps make this obvious to readers.

HTH

Rick

HTH

Rick
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents