03-02-2015 08:55 AM - edited 03-07-2019 10:54 PM
This is probably a really silly question. But I'm relatively new to the engineering side of things...
I need to configure a real simply aaa setup on new IOS-XE switches. I've never done it on XE and it appears to be just different enough to me.
I just need a real quick and dirty run down on how to use aaa locally to lock down:
Console
SSH
Telnet
etc
I will field any and all questions
Thanks!
03-02-2015 09:23 AM
For local authentication, this would be the same as IOS:
aaa new-model
aaa authentication login default local
aaa authentication enable default enable
enable secret PASSWORD
username USER secret PASSWORD
As soon as you configure AAA, all the lines will use the "aaa authent login" line.
03-03-2015 07:48 AM
Alright. Got that done.
Now, curiously... (from sh run output)
aaa new-model
aaa authentication login default local
aaa authentication enable default enable
enable secret 5 <some garbage>
username rts.admin privilege 15 secret 5 <some garbage>
username cjis.admin privilege 15 secret 5 <some garbage>
username sw.admin privilege 15 secret 5 <some garbage>
Only the secret password for cjis.admin works to enter enable mode. The other two work to login to the switch, but neither password words for "en"
Sorry if I'm completely ignorant... At any rate, each user should be able to use their secret password to access enabled mode. When I take the "enable secret" out, it breaks it entirely. No user can access enable mode get:
Switch>en
% Error in authentication
Thanks,
I
03-03-2015 08:27 AM
If you want direct login to enable mode, you'd also need to allow that on the line, for example:
line vty 0 15
privilege level 15
I would still have an enable secret configured to prevent lockout in case you change the VTY line policy in the future.
Side note: The "<some garbage>" is an MD5 hash of the password entered to prevent it from being shown in cleartext in the running config. Newer code is converting over to a SHA256 hash which will show as "secret 4 <the hash>".
03-03-2015 08:33 AM
Yea I don't know why I omit those.
I really appreciate this. Typically these things are done before I even get the hardware but this one's on me!
Thank you, thank you!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: