04-26-2008 02:35 PM - edited 03-10-2019 03:48 PM
Hi, 2 questions about AAA authentication since i'm quite confused with the available documentation and currently i have no devices available to test :
1) when "aaa new model" entered does login authentication immediately applies to all lines and defaults to router's local database (without any other command needed)?
2)if configure "aaa authentication login default none" does this mean that in vty (when no command applied to vty) no authentication is performed; telnet succeeds without any authentication?
Thanks
04-27-2008 12:06 PM
HI, [Pls Rate if HELPS]
Answer to Question:1
======================
The first command, aaa new-model, tells the router that you are using either TACACS+ or RADIUS for authentication.
FYI, If you do not want the console to authenticate with tacacs then try configuring this:
aaa authentication login consoleauth line
line con 0
login authentication consoleauth
To configure AAA authentication, perform the following tasks:
1. Enable AAA by using the aaa new-model global configuration command.
2. Configure security protocol parameters, such as RADIUS, TACACS+, or Kerberos if you are using a security server.
3. Define the method lists for Authentication by using an AAA authentication command.
4. Apply the method lists to a particular interface or line, if required.
Answer to Question:2
======================
"aaa authentication login default none" command to get access to Router via Console / VTY without authentication. The List must all be applied to the Line / Con / Interface.
'none' means Uses no authentication.
Note: Normally we authorize all commands through TACACS+, but if the server is down, no authorization is necessary, hence the 'none'
The 'none' keyword enables any user logging in to successfully authenticate, it should be used only as a backup method of authentication.
Hope I am Informative.
Please RATE if HELPS
Best Regards,
Guru Prasad R
04-28-2008 05:12 AM
Hi,
1).It will be applied to all interfaces on incase you did not remove aaa commands individually.
For Example you have these in your router,
aaa new-model
aaa authentication login default group tacacs local
Now you disabled aaa by issuing command
no aaa new-model
Everything related to aaa would be disabled.
Then if you enter aaa new-model command again , all previous aaa entries would be enabled.
So best way to remove aaa is by ,
no aaa authentication login default group tacacs local
no aaa new-model
2). Yes if you use "none" then no authentication check will be performed and user will be authenticated without any check.
Regards,
~JG
Do rate helpful posts
04-28-2008 09:55 AM
Guys, thanks for your help and time.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: