aaa new-model and inbound telnet

jlixfeld · ‎01-31-2004

I had ssh running on a few devices and I decided to disable it. Part and percel with SSH, I had a aaa configuration setup where by I would be booted right into enable mode when I logged in -- no need to enable.

I'm now trying to turn this off and get the regular login (telnet, <ask for password>, enable <ask for password>) back in working order, but every time I try to telnet into to the box, I get asked for a username.

The only way around to this, I have discovered is to completely blow away the aaa config, then it will allow the line vty 0 4 ; login command to stick. With AAA configured, the login command needs an argument:

frn1-r3.tor#conf t

Enter configuration commands, one per line. End with CNTL/Z.

frn1-r3.tor(config)#line vty 0 4

frn1-r3.tor(config-line)#login ?

authentication Authentication parameters.

frn1-r3.tor(config-line)#

This workaround is all fine and good in most cases; I can disable aaa with no issues, except on my RAS servers. If I disable aaa on those, my users are no longer able to dial-in.

I've tried to blow away the aaa config on the RAS server, quickly jump to the vty and configure login which works fine, but when I re-enable aaa, the command from the vty gets nuked:

frn1-r3.tor#conf t

Enter configuration commands, one per line. End with CNTL/Z.

frn1-r3.tor(config)#no aaa new-model

frn1-r3.tor(config)#line vty 0 4

frn1-r3.tor(config-line)#login ?

local Local password checking

tacacs Use tacacs server for password checking

<cr>

frn1-r3.tor(config-line)#login

frn1-r3.tor(config-line)#exit

frn1-r3.tor(config)#exit

frn1-r3.tor#sh run | beg vty 0 4

line vty 0 4

exec-timeout 60 0

password 7 ************

login

transport input telnet

!

end

frn1-r3.tor#conf t

Enter configuration commands, one per line. End with CNTL/Z.

frn1-r3.tor(config)#aaa new-model

frn1-r3.tor(config)#!

frn1-r3.tor(config)#aaa authentication ppp default group radius

frn1-r3.tor(config)#aaa authorization network default group radius

frn1-r3.tor(config)#aaa accounting delay-start

frn1-r3.tor(config)#aaa accounting update periodic 60

frn1-r3.tor(config)#aaa accounting network default start-stop group radius

frn1-r3.tor(config)#exit

frn1-r3.tor#sh run | beg vty 0 4

line vty 0 4

exec-timeout 60 0

password 7 *************

transport input telnet

!

end

frn1-r3.tor#

Anyone have any ideas on how I can fix this and get back to plain-jane telnet while having AAA work still?

awaheed · ‎02-02-2004

It's normal for the 'login' command to disappear from your line config when AAA is enabled, because AAA is in complete control of all authentication on the router once you enable it. The default authentication method (when not specified) is "local"

Exactly how to configure this depends on whether you will have async mode interactive or async mode dedicated.

interactive:

!

aaa authentication login default line

aaa authentication DIAL default group radius local

aaa authorization DIAL default group radius local

aaa authentication ppp default group radius local

aaa authorization network default group radius local

username pppbackup password pppsecret

!

line 1 60

login authentication DIAL

authorization exec DIAL

!

dedicated:

!

aaa authentication login default line

aaa authentication ppp default group radius local

aaa authorization network default group radius local

username pppbackup password pppsecret

!

If you don't want authentication to be possible when the RADIUS servers are down, remove the backup username and the 'local' keyword on all the aaa lines.

hope this helps,

Regards,

Aamir

-=-=-

jlixfeld · ‎02-03-2004

I don't want to authenticate a username at all when an administrator is doing telnet to the device itself. All I want is a password.

Obviously dialup users need to authenticate with username and password when they connect ppp via asynch, synch, pppoe, etc.