cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
658
Views
0
Helpful
4
Replies

IOS XE and aaa

This is probably a really silly question. But I'm relatively new to the engineering side of things...

 

I need to configure a real simply aaa setup on new IOS-XE switches. I've never done it on XE and it appears to be just different enough to me.

 

I just need a real quick and dirty run down on how to use aaa locally to lock down:

Console

SSH

Telnet 

etc

 

I will field any and all questions

 

Thanks!

 

4 Replies 4

thiland
Level 3
Level 3

For local authentication, this would be the same as IOS:

aaa new-model
aaa authentication login default local
aaa authentication enable default enable
enable secret PASSWORD
username USER secret PASSWORD

 

As soon as you configure AAA, all the lines will use the "aaa authent login" line. 


 

Alright. Got that done.

 

Now, curiously... (from sh run output)

aaa new-model
aaa authentication login default local
aaa authentication enable default enable

enable secret 5 <some garbage>

username rts.admin privilege 15 secret 5 <some garbage>
username cjis.admin privilege 15 secret 5 <some garbage>
username sw.admin privilege 15 secret 5 <some garbage>

Only the secret password for cjis.admin works to enter enable mode. The other two work to login to the switch, but neither password words for "en"

Sorry if I'm completely ignorant... At any rate, each user should be able to use their secret password to access enabled mode. When I take the "enable secret" out, it breaks it entirely. No user can access enable mode get:


Switch>en
% Error in authentication

 

Thanks,

I

If you want direct login to enable mode, you'd also need to allow that on the line, for example:

line vty 0 15
 privilege level 15

I would still have an enable secret configured to prevent lockout in case you change the VTY line policy in the future.

Side note:  The "<some garbage>" is an MD5 hash of the password entered to prevent it from being shown in cleartext in the running config.  Newer code is converting over to a SHA256 hash which will show as "secret 4 <the hash>".

Yea I don't know why I omit those.

 

I really appreciate this. Typically these things are done before I even get the hardware but this one's on me!

 

Thank you, thank you!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: