cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3465
Views
0
Helpful
8
Replies

aaa login using console

Hi all,

I have the following config: IOS ver 12.2 on cat6500 sup720 running native IOS

!

username roadrunner privilege 15 password xxx

aaa new-model

aaa authentication login default group tacacs+ local

aaa authentication login console local

aaa authentication enable default group tacacs+ enable

aaa accounting commands 15 default start-stop group tacacs+

!

line con 0

login authentication console

!

line vty 0 4

transport input ssh

exec-timeout 10 0

!

The idea is to use TACACS+ for "login" and "enable mode" authentication to the router. If tacacs+ is not-reachable/not-available, then to use the console to login to the router, using local username/password.

But, with this above config, I can only login to the "user exec" mode, but not to the "enable" mode.

My understanding is, in this case, the router uses local username/password to login to the user exec mode and must use the "enable secret" to login to the enable mode. See below link:

http://www.cisco.com/en/US/docs/ios/12_2/security/command/reference/srfathen.html#wp1055538

It says, On the console, the enable password is used if it exists. If no password is set, the process will succeed anyway.

But this does not seem to be happenning in my case. I can only login to the user exec mode and unable to get to the enable mode.

Am I missing anything here? Any help is appreciated.

Thank you,

Mohan

8 Replies 8

Jagdeep Gambhir
Level 10
Level 10

Mohan,

Please add the following command;-

Router(config)#aaa authorization console

(Hidden command)

Regards,

~JG

Do rate helpful posts

Premdeep Banga
Level 7
Level 7

Hi,

I went through the description/objective the you want to accomplish.

As you have stated that you want to use TACACS+ for "login" and "enable mode" authentication to the router. If tacacs+ is not-reachable/not-available, then to use the console to login to the router, using local username/password.

Then why are we creating separate login authentication method for Console.

We can only have authentication list as,

aaa authentication login default group tacacs+ local

aaa authentication enable default group tacacs+ enable

And remove the named list from the console,

line con 0

no login authentication console

And will solve the purpose.

As you are only dealing with authentication and using the list name as "default", it will get applied to all the lines automatically including console.

Now, I think this is how you are testing,

We have not brought down the Tacacs server, and were trying to log into device from console using local username/password.

Above statements will only work flawlessly using local credentials and enable password, if Tacacs server is un-available.

And I would like to correct JG here, "aaa authorization console" is only used, when we have applied authorization in the configuration, and want authorization to be applied on console as well, as by default authorization is not applied on console, to serve fallback.

And if you want that local authentication AND enable authentication using enable password should work in parallel, when Tacacs server is available, then that would not be possible.

Reason : the enable authentication part that you have configured, does not have alterations, either you can configure it for tacacs then enable as fall back (which will only happen when tacacs is down). Or straight away enable.

And I suppose as per your configuration, you should have been failing enable authentication from console, because the Tacacs server was available, and you were logged in using local credentials, and we have aaa authentication enable "default", which gets applied on all the lines by default, AND we cannot change "default" list for enable authentication.

HTH

Regards,

Prem

I would like some clarification from Mohan. Based on what I understand of his description I would think that the config that he posted would be pretty close to doing what he wants. But he says that it is not working. What I think I understand from his original post is that he is able to login to user mode on the console but that he is not able to access enable mode. Can Mohan clarify what happens when he attempts to get to enable mode? What response do you receive? Perhaps the output of debug tacacs authentication would be helpful.

I wonder if the results are different when TACACS is actually available and when it is actually not available. Login to user mode on the console should work with the user ID in either case. But if TACACS is actually available then the router will attempt to authenticate enable access via TACACS. This would require that the userID configured on the router must also exist in TACACS. I wonder if it does?

I believe that JG has interpreted the requirements somewhat differently. His solution would work if the intent is to go directly into enable mode (bypass user mode). This is easy to do from the vty ports but by default does not work from the console. The hidden command that he suggests does make it work on the console. Since there is no authorization configured for the vty ports I suspect that this is not what Mohan is after.

Prem seems to think that you can not have more than 1 authentication list (based on these statements:

We can only have authentication list as,

aaa authentication login default group tacacs+ local

I have configured more than 1 authentication list and it works quite well.

But I do agree with Prem that having multiple autnentication lists is un-necessarily complex. What Mohan has configured in the default authentication list would seem to give him pretty much what he needs without requiring the second authentication list. It will attempt TACACS first and if TACACS is not available it will authenticate with local ID and will attempt to use TACACS for enable authentication and will fall back to enable if TACACS is not available.

If I have misunderstood something then perhaps Mohan can clarify for us.

HTH

Rick

HTH

Rick

Hi Rick,

We can have more than one authentication list for login, but we cannot have same for "enable authentication". For "enable authentication" we only have "default" list available.

And I think Mohan also wants to do enable authentication, but we cannot break enable authentication using list and apply it on vty and console separately.

Lets wait for Mohan's input.

Regards,

Prem

Hello Guys,

First, thank you all for looking at my post and responding. After going over your responses, I feel that my initial post is a bit unclear of the requirements. I myself realized this only after reading your posts.

Coming to the issue, I have misstated my requirement. What I really want is to use the console anytime without any regards to the tacacs+ server's availability, that is, I want the console to use local username/password to login and use enable password to get to the enable mode, all the time (ie. even if tacacs+ server is available).

But, again I goofed-up while testing this. While testing this, the tacacs+ server was available. So, that explains, why I have not been able to get to the enable mode. May be it would have worked fine, if tacacs+ has not been available. But, what again confuses me is the Cisco documentation stated above, "the console must use the enable password to get to the enable mode", which was not happening in my case. So, the question is, will the console login method change depending on wheather tacacs+ is availabe or not.

I am going to test this today in the lab and see how it works.

Thank you again for your thoughtful responses and I will post the results of my testing soon.

Thank you,

Mohan

So here it goes,

aaa authentication login console local

aaa authentication enable default group tacacs+ enable

line con 0

login authentication console

[Scenerio I] : TACACS server UP

- You'll be able to log into user exec mode from console successfully i.e. Router>

- But you will not be able to log into enable mode (privileged exec), Reason :

You have command, "aaa authentication enable default group tacacs+ enable"

"Default" means, to be applied on all the lines, including console. The "the console must use the enable password to get to the enable mode" is only applicable is AAA Enable authentication is NOT configured.

[Scenerio II] : TACACS server DOWN

- You'll be able to log into user exec from console

- You should be able to go into enable mode (privilege exec) using enable password, because TACACS server is not available as per command,

"aaa authentication enable default group tacacs+ enable"

If you want to keep enable authentication i.e. aaa authentication enable..., then what you want cannot be accomplished. But if you remove enable authentication, then you'll be able to log into enable mode from VTY and console, but using local enable password all the time.

Reason being we cannot separate enable authentication, and then apply it on console line separately, like the login authentication.

Or if you want you can also, look in direction of exec authorization...

But that would totally skip the enable mode, and land you directly into Privilege exec mode.

HTH

Regards,

Prem

Thanks Prem. That was exactly my understanding too. For now, I have skipped the enable password checking on the console with the "privilege-level 15" under line con 0. This directly puts me in the privilege exec mode.

The bottom line is, the console must always be availble for me to make any configuration changes, at the same time having some level of security.

Thank you all for your thoughts.

Regards,

Mohan

Glad we could help you.

Please rate the helpful posts, so that others can benefit from it.

Thanks,

Prem

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: