01-31-2004 09:44 AM - edited 02-21-2020 10:09 AM
I had ssh running on a few devices and I decided to disable it. Part and percel with SSH, I had a aaa configuration setup where by I would be booted right into enable mode when I logged in -- no need to enable.
I'm now trying to turn this off and get the regular login (telnet, <ask for password>, enable <ask for password>) back in working order, but every time I try to telnet into to the box, I get asked for a username.
The only way around to this, I have discovered is to completely blow away the aaa config, then it will allow the line vty 0 4 ; login command to stick. With AAA configured, the login command needs an argument:
frn1-r3.tor#conf t
Enter configuration commands, one per line. End with CNTL/Z.
frn1-r3.tor(config)#line vty 0 4
frn1-r3.tor(config-line)#login ?
authentication Authentication parameters.
frn1-r3.tor(config-line)#
This workaround is all fine and good in most cases; I can disable aaa with no issues, except on my RAS servers. If I disable aaa on those, my users are no longer able to dial-in.
I've tried to blow away the aaa config on the RAS server, quickly jump to the vty and configure login which works fine, but when I re-enable aaa, the command from the vty gets nuked:
frn1-r3.tor#conf t
Enter configuration commands, one per line. End with CNTL/Z.
frn1-r3.tor(config)#no aaa new-model
frn1-r3.tor(config)#line vty 0 4
frn1-r3.tor(config-line)#login ?
local Local password checking
tacacs Use tacacs server for password checking
<cr>
frn1-r3.tor(config-line)#login
frn1-r3.tor(config-line)#exit
frn1-r3.tor(config)#exit
frn1-r3.tor#sh run | beg vty 0 4
line vty 0 4
exec-timeout 60 0
password 7 ************
login
transport input telnet
!
end
frn1-r3.tor#conf t
Enter configuration commands, one per line. End with CNTL/Z.
frn1-r3.tor(config)#aaa new-model
frn1-r3.tor(config)#!
frn1-r3.tor(config)#!
frn1-r3.tor(config)#aaa authentication ppp default group radius
frn1-r3.tor(config)#aaa authorization network default group radius
frn1-r3.tor(config)#aaa accounting delay-start
frn1-r3.tor(config)#aaa accounting update periodic 60
frn1-r3.tor(config)#aaa accounting network default start-stop group radius
frn1-r3.tor(config)#exit
frn1-r3.tor#sh run | beg vty 0 4
line vty 0 4
exec-timeout 60 0
password 7 *************
transport input telnet
!
end
frn1-r3.tor#
Anyone have any ideas on how I can fix this and get back to plain-jane telnet while having AAA work still?
02-02-2004 11:55 AM
It's normal for the 'login' command to disappear from your line config when AAA is enabled, because AAA is in complete control of all authentication on the router once you enable it. The default authentication method (when not specified) is "local"
Exactly how to configure this depends on whether you will have async mode interactive or async mode dedicated.
interactive:
!
aaa authentication login default line
aaa authentication DIAL default group radius local
aaa authorization DIAL default group radius local
aaa authentication ppp default group radius local
aaa authorization network default group radius local
username pppbackup password pppsecret
!
line 1 60
login authentication DIAL
authorization exec DIAL
!
dedicated:
!
aaa authentication login default line
aaa authentication ppp default group radius local
aaa authorization network default group radius local
username pppbackup password pppsecret
!
If you don't want authentication to be possible when the RADIUS servers are down, remove the backup username and the 'local' keyword on all the aaa lines.
hope this helps,
Regards,
Aamir
-=-=-
02-03-2004 06:11 PM
I don't want to authenticate a username at all when an administrator is doing telnet to the device itself. All I want is a password.
Obviously dialup users need to authenticate with username and password when they connect ppp via asynch, synch, pppoe, etc.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide