IINS AAA and study guide clarification please
geezer
Member Posts: 136
Hi
Having embarked on the IINS study using the cisco press exam cert guide (Watkins & Wallace) I have come across a couple of things that need clarifying:
1). Is it necessary to configure "aaa new-model" via CLI before using SDM? I have tried it using GNS3 on a 3600 router (IOS 12.4) and works fine with SDM without CLI intervention.
2). The example on page 163 (config from using auto secure) shows AAA attributes of which local authentication is selected for all router access whether vty or async. I understood that local meant local username/password database but don't see a username configured - instead the enable password only is configured?
Lastly, is it possible to cover all topics and pass using this book and GNS3?
TIA
Having embarked on the IINS study using the cisco press exam cert guide (Watkins & Wallace) I have come across a couple of things that need clarifying:
1). Is it necessary to configure "aaa new-model" via CLI before using SDM? I have tried it using GNS3 on a 3600 router (IOS 12.4) and works fine with SDM without CLI intervention.
2). The example on page 163 (config from using auto secure) shows AAA attributes of which local authentication is selected for all router access whether vty or async. I understood that local meant local username/password database but don't see a username configured - instead the enable password only is configured?
Lastly, is it possible to cover all topics and pass using this book and GNS3?
TIA
I used to be undecided but now I'm not so sure.
There are only 10 types of people in the world: Those who understand binary, and those who don't!
There are only 10 types of people in the world: Those who understand binary, and those who don't!
Comments
-
Bl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□Hi
Having embarked on the IINS study using the cisco press exam cert guide (Watkins & Wallace) I have come across a couple of things that need clarifying:
1). Is it necessary to configure "aaa new-model" via CLI before using SDM? I have tried it using GNS3 on a 3600 router (IOS 12.4) and works fine with SDM without CLI intervention.
2). The example on page 163 (config from using auto secure) shows AAA attributes of which local authentication is selected for all router access whether vty or async. I understood that local meant local username/password database but don't see a username configured - instead the enable password only is configured?
Lastly, is it possible to cover all topics and pass using this book and GNS3?
TIA
1: There is a button in the SDM that basically activates AAA.
2: There is a command that you apply to the lines that makes them look to the local database. ( I won't tell you what, simply because you will find it )
3: I think so, just make sure you have some switches for the switch port stuff. -
geezer Member Posts: 136The 'enable AAA' button does work but the book (and author) stick by the 'CLI needed' stance. Don't care too much but want the 'exam' correct answer - CLI first then SDM or simply SDM only?
Does the local database consist of the enable password only? I don't think so but the output on page 163 doesn't show it but points to "local" authentication for the lines.
Only have a couple of 1900 switches. I presume I could use something like 3600 with ethernet ports instead?aaa authentication login default-auth local
(default-auth is method list name btw)
I am presuming that as a minimum "local" authentication is the enable password only. Username/password option gives a more granular approach to securing device access/permissions.I used to be undecided but now I'm not so sure.
There are only 10 types of people in the world: Those who understand binary, and those who don't! -
mikem2te Member Posts: 407The 'enable AAA' button does work but the book (and author) stick by the 'CLI needed' stance. Don't care too much but want the 'exam' correct answer - CLI first then SDM or simply SDM only?
Does the local database consist of the enable password only? I don't think so but the output on page 163 doesn't show it but points to "local" authentication for the lines.
Only have a couple of 1900 switches. I presume I could use something like 3600 with ethernet ports instead?
aaa authentication login default-auth local (default-auth is method list name btw)
AAA can be enabled CLI or SDM and it is not required for SDM. You have to do the usual commands to enable SDM-
ip http authentication local
username xxx privilige 15 secret xxx
ip http serverDoes the local database consist of the enable password only? I don't think so but the output on page 163 doesn't show it but points to "local" authentication for the lines.Blog : http://www.caerffili.co.uk/
Previous : Passed Configuring Microsoft Office SharePoint Server 2007 (70-630)
Currently : EIGRP & OSPF
Next : CCNP Route -
ian g Member Posts: 29 ■■□□□□□□□□As far as I understand you can go straight into SDM, but by default you won't be able to do much until you have set it up to authenticate a user with privilege level 15. You can set up aaa, or just use the local DB, as long as that contains a level 15 user.
After you set up your local user(s) in CLI, issue 'ip htttp authentication local', then fire up SDM with admin privileges. -
Bl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□No local authentication is simply means that it is going to use the local databases (usernames and passwords that have been configured the device) instead of something like a Tacacs or Radius server. Remember that, because that is very important.
You can set up usernames and passwords before you enable AAA authentication (remember PPP).
As far as I know, the enable password and the username database are completely different things. Look to me like the output on page 163 will result on a router you can't login to unless a "username ......." command is entered sharpish.
This is correct -
geezer Member Posts: 136I agree about the book being written better especially the lack of authorization and accounting info! I feel like I am proof-reading the thing too as well as the errata!
I created a level 15 user in SDM before I could enable AAA but definitely didn't have to use command line. As long as the device was pingable I let the SDM code do the configuring for me which makes sense to me.
This seems to imply that 'enable' password is local. Whether this is "aaa" local I still don't know.I used to be undecided but now I'm not so sure.
There are only 10 types of people in the world: Those who understand binary, and those who don't! -
mikem2te Member Posts: 407I agree about the book being written better especially the lack of authorization and accounting info! I feel like I am proof-reading the thing too as well as the errata!I created a level 15 user in SDM before I could enable AAA but definitely didn't have to use command line. As long as the device was pingable I let the SDM code do the configuring for me which makes sense to me.
SDM Probably forces you to create the level 15 user before enabling AAA as it is sooooo easy to lock yourself out of the router.This seems to imply that 'enable' password is local. Whether this is "aaa" local I still don't know.Blog : http://www.caerffili.co.uk/
Previous : Passed Configuring Microsoft Office SharePoint Server 2007 (70-630)
Currently : EIGRP & OSPF
Next : CCNP Route -
geezer Member Posts: 136Thanks all for the prompt (no pun intended) feedback!
Yes mike, SDM will only allow AAA configuration once you have an exec priv mode user which to send to the router so it isn't completely daft (unlike the config on page 163!)
Will take on board that 'local' means database in terms of AAA which is what I understood thus far. Just takes some slack comments to waste precious time.
Mind must be fogging over with this confusion but ADM? Passed my CCNAs twice using Lammle books but this CP book isn't leaving me with a good impression - unless I pass well that is!
Cheers again.I used to be undecided but now I'm not so sure.
There are only 10 types of people in the world: Those who understand binary, and those who don't! -
mikem2te Member Posts: 407CP book isn't leaving me with a good impression - unless I pass well that is!
Cheers again.Blog : http://www.caerffili.co.uk/
Previous : Passed Configuring Microsoft Office SharePoint Server 2007 (70-630)
Currently : EIGRP & OSPF
Next : CCNP Route