I have a Cisco 3825 running IOS c3825-advsecurityk9-mz.124-22.YB5.bin
I'm trying to use the 'login local' command for the usernames I have created on the router for the aux, con and vty lines.
But when I try to configure the line, the command login is available to me. But 'local' is not an available option.
Can anyone tell me if I should or shouldn't have available to me.
yes AAA is in my configuration.
can the same also be said, in addition to the vty line, the con 0, aux, etc lines as well, that login local is not available?
so both AAA and login local cannot be used at the same time?
I have read documentation from Cisco and from google searches regarding the addition of your proposed command. I have not tried it yet.
Currently the aaa section of my config for my router has this:
aaa local authentication attempts max-fail 3
aaa authentication login default group tacacs+ local enable
aaa authentication login Jay none
aaa authentication login towerclear none
aaa authentication enable default group tacacs+ enable
aaa authorization console
aaa authorization exec local_author none
aaa authorization network default none
aaa session-id common
Unfortunaely my knowledge of aaa is limited and I'm having a hard time getting a grasp of it. I know for sure that my router does not use any tacacs+ or radius but those command were put it for some reason. I know that the only access is by the usernames and password I have created on to router device itself.
So will adding "aaa authentication login default local" have any impact on the other aaa authentication listed in my config? i think the answer is no if i recall correctly from the reading i've done.
If you are not using TACACS, you can remove all the AAA commands and use login local under the vty lines
If you want to keep the commands, go ahead and use 'aaa authentication login default local'
Technically I'm not using TACACS but I think I want to keep that line there.
If I add 'aaa authentication login defualt local' what will that do? does it affect all the lines, e.g. con 0, aux, vty, tty? Or do I configure them individually? I have to make sure the tty isn't effected. I have a modem card installed into my routers for outside sites to dial into to transmit data.
'aaa authentication login default local', and a local username
and password configured will apply to all access to the device. You
don't need to configure anything on the lines individually
Based on your last response, will that effect the tty lines that recieve connections requiring a login and password?
The whole reason for the post was for a vulnerability for the local login. The remediation simple states that I need to enter this command for the line(s) con 0, vty, etc:
hostname(config-line)# password LINE_PASSWORD
When I do "password ?" at the prompt the options are:
is there something I'm missing where the password can be encrypted?
If we can get a clear understanding of what your requirements are I believe that there are options for configuration that can accomplish them. If you want your vty and console to authenticate differently from what the tty uses for authentication this is quite possible (and I have done it for a customer). You configure one (perhaps tty) to use the default authentication method, and then you configure a different authentication method and configure vty and console to use that method.
Yes there is an option to get the passwords for vty and console to be encrypted. Use service password-encryption (in global configuration mode) and the passwords will be encrypted.