hi all, i am facing this very strange issue. I have configured this on my router
username cisco password cisco123
I havent defined any aaa authentication and my line vty config is also empty. Now when i telnet to this router, i am asked for username/password !!! when i enter them i am authenticated !!!, why this happened ? if i havent configured any authentication method i know default list should be applied but when i havent created one will it still be applied ?
Kindly guide me
Do you get authenticated using local account or tacacs account?
May be aaa authentication was configured previously. If I have aaa authentication configured on my router and I do "no aaa new-model", aaa would be disabled.
Again after some time if I issue "aaa new-model" all the previous commands will show up.
Please issue command
#show run | inc aaa
AND you will see
aaa authentication login default group tac local
Let me know if that is not a case.
Do rate helpful posts
Dear Sir, i also had this doubt so i simply reloaded the router to its default config. Now this is the configuration on R1. Now
R1#sh run | in aaa
aaa session-id common
R1#sh run | be line vty 0 4
line vty 0 4
Now when from R2 i am doing
Trying 18.104.22.168 ... Open
User Access Verification
On R1 i ran debug aaa authentication, so i get this result
*Mar 1 00:03:36.579: AAA/BIND(00000006): Bind i/f
*Mar 1 00:03:36.587: AAA/AUTHEN/LOGIN (00000006): Pick method list 'Permanent Local'
I am confused since i havent defined any default method list then how come its authenticating it.
Kindly guide me
Hi all, i have found this while looking at the command reference of aaa.
aaa authentication login
If the default list is not set, only the local user database is checked. This has the same effect as the following command:
aaa authentication login default local
This quite clears my query (though i am still confused about the permanent method lists concept :( ). But further in this explanation a statement confused me
"If authentication is not specifically set for a line, the default is to deny access and no authentication is performed. Use the more system:running-config command to display currently configured lists of authentication methods."
I think both above statements are contracdting !! one says local username/password will be used if no default list is defined and then it says if i havent defined any method list on line then it should deny !! I m really confused can some one please guide me.
My experience with this is quite clear that as soon as you configure aaa new-model that the default for authentication for the console and the vty is to use the local username/password for authentication.
I agree that the two statements seem contradictory. I wonder if the second statement is describing some particular situation? Can you provide some context for the second statement, or perhaps a link to the second statement?
Dear Sir, thanks for taking a look at my issue. Sir below is the link from where i pasted the statements
Actually sir i am confused about the debug, they refer to something called permanent method lists but i am not able to find anything regarding them anywhere !!. If you issue this command
sh aaa method-lists authentication
you will see lists called permanent, what are they ? its this list that i am getting authenticated !!
Kindly guide me in this pls
Thank you for posting the link. I have looked at it but share your question about the second statement. I believe that this statement is incorrect. Perhaps in some older release it might have been accurate. But clearly in current code (and code for quite a while in my experience) there is a default behavior that is to use the local user data base for authentication if there is no other method configured.
I do not have a particularly good explanation about the permanent lists. When I look at them they seem to define the basic authentication mechanisms, which are permanently enabled and include Local, Enable, and None. But then I am puzzled that there is not one for Line, which I would expect if they were the basic authentication mechanisms. So I do not have a good explanation for this.
Dear Sir, i am quite a fan of netcraftsmen and Peter J Wilch and you. It was really an honor you looked at my issue. There is one thing i want to ask that why cisco hide such details ? i have felt that most of the very indepth technical facts comes from those who have worked in cisco. Why is that ? like that example of my query, if cisco has provided something why dont document it as well ? i hope you are getting my confusion what is the policy behind this hide n seek game :-)
Thank you for the nice things you say about Chesapeake NetCraftsmen. It is an excellent company and I am proud to be part of it.
I do not believe that there is any "policy" at Cisco about hiding such details. I believe that the issue is that the IOS is so full of features that it becomes difficult to document them.
Dear Sir, i am not stressing my point but during my preparation for CCIE, at first i thought in IGPs distribute lists cant contains extended access-lists, but later on one blog they described how extended access-list could be used to define the network plus the gateway. This feature is not documented anywhere though its a very useful feature. Plus you know there are certain commands called hidden commands, so i thought may be cisco wants to keep certains technical details only to its own engineers not leaking it to public.
Kindly dont mind this offtopic query.