IINS AAA and study guide clarification please

Hi

Having embarked on the IINS study using the cisco press exam cert guide (Watkins & Wallace) I have come across a couple of things that need clarifying:

1). Is it necessary to configure "aaa new-model" via CLI before using SDM? I have tried it using GNS3 on a 3600 router (IOS 12.4) and works fine with SDM without CLI intervention.

2). The example on page 163 (config from using auto secure) shows AAA attributes of which local authentication is selected for all router access whether vty or async. I understood that local meant local username/password database but don't see a username configured - instead the enable password only is configured?

Lastly, is it possible to cover all topics and pass using this book and GNS3?

TIA

Find more posts tagged with

Comments

Bl8ckr0uter

geezer wrote: »

Hi

Having embarked on the IINS study using the cisco press exam cert guide (Watkins & Wallace) I have come across a couple of things that need clarifying:

1). Is it necessary to configure "aaa new-model" via CLI before using SDM? I have tried it using GNS3 on a 3600 router (IOS 12.4) and works fine with SDM without CLI intervention.

2). The example on page 163 (config from using auto secure) shows AAA attributes of which local authentication is selected for all router access whether vty or async. I understood that local meant local username/password database but don't see a username configured - instead the enable password only is configured?

Lastly, is it possible to cover all topics and pass using this book and GNS3?

TIA

1: There is a button in the SDM that basically activates AAA.
2: There is a command that you apply to the lines that makes them look to the local database. ( I won't tell you what, simply because you will find it

)
3: I think so, just make sure you have some switches for the switch port stuff.

geezer

The 'enable AAA' button does work but the book (and author) stick by the 'CLI needed' stance. Don't care too much but want the 'exam' correct answer - CLI first then SDM or simply SDM only?

Does the local database consist of the enable password only? I don't think so but the output on page 163 doesn't show it but points to "local" authentication for the lines.

Only have a couple of 1900 switches. I presume I could use something like 3600 with ethernet ports instead?

aaa authentication login default-auth local

(default-auth is method list name btw)

I am presuming that as a minimum "local" authentication is the enable password only. Username/password option gives a more granular approach to securing device access/permissions.

mikem2te

geezer wrote: »

The 'enable AAA' button does work but the book (and author) stick by the 'CLI needed' stance. Don't care too much but want the 'exam' correct answer - CLI first then SDM or simply SDM only?

Does the local database consist of the enable password only? I don't think so but the output on page 163 doesn't show it but points to "local" authentication for the lines.

Only have a couple of 1900 switches. I presume I could use something like 3600 with ethernet ports instead?

aaa authentication login default-auth local (default-auth is method list name btw)

Personally IMO, that book could be written better.

AAA can be enabled CLI or SDM and it is not required for SDM. You have to do the usual commands to enable SDM-

ip http authentication local
username xxx privilige 15 secret xxx
ip http server

Does the local database consist of the enable password only? I don't think so but the output on page 163 doesn't show it but points to "local" authentication for the lines.

As far as I know, the enable password and the username database are completely different things. Look to me like the output on page 163 will result on a router you can't login to unless a "username ......." command is entered sharpish.

ian g

As far as I understand you can go straight into SDM, but by default you won't be able to do much until you have set it up to authenticate a user with privilege level 15. You can set up aaa, or just use the local DB, as long as that contains a level 15 user.
After you set up your local user(s) in CLI, issue 'ip htttp authentication local', then fire up SDM with admin privileges.

Bl8ckr0uter

No local authentication is simply means that it is going to use the local databases (usernames and passwords that have been configured the device) instead of something like a Tacacs or Radius server. Remember that, because that is very important.

You can set up usernames and passwords before you enable AAA authentication (remember PPP).

mikem2te wrote: »

As far as I know, the enable password and the username database are completely different things. Look to me like the output on page 163 will result on a router you can't login to unless a "username ......." command is entered sharpish.

This is correct

geezer

I agree about the book being written better especially the lack of authorization and accounting info! I feel like I am proof-reading the thing too as well as the errata!

I created a level 15 user in SDM before I could enable AAA but definitely didn't have to use command line. As long as the device was pingable I let the SDM code do the configuring for me which makes sense to me.

This seems to imply that 'enable' password is local. Whether this is "aaa" local I still don't know.

mikem2te

geezer wrote: »

I agree about the book being written better especially the lack of authorization and accounting info! I feel like I am proof-reading the thing too as well as the errata!

I thought the same - the voice section goes on about FPSIP fast page or something gibberish like that. I though it was session initiation protocol.

geezer wrote: »

I created a level 15 user in SDM before I could enable AAA but definitely didn't have to use command line. As long as the device was pingable I let the SDM code do the configuring for me which makes sense to me.

I configured AAA & ADM through the CLI rather than letting the SDM installer do it because I couldn't get the installerr to work properly.

SDM Probably forces you to create the level 15 user before enabling AAA as it is sooooo easy to lock yourself out of the router.

geezer wrote: »

This seems to imply that 'enable' password is local. Whether this is "aaa" local I still don't know.

Local refers to users created using the usaername command.

geezer

Thanks all for the prompt (no pun intended) feedback!

Yes mike, SDM will only allow AAA configuration once you have an exec priv mode user which to send to the router so it isn't completely daft (unlike the config on page 163!)

Will take on board that 'local' means database in terms of AAA which is what I understood thus far. Just takes some slack comments to waste precious time.

Mind must be fogging over with this confusion but ADM? Passed my CCNAs twice using Lammle books but this CP book isn't leaving me with a good impression - unless I pass well that is!

Cheers again.

mikem2te

geezer wrote: »

CP book isn't leaving me with a good impression - unless I pass well that is!

Cheers again.

Theres another book I used, the authorised self study guide by Catherine Paquet. A much better book IMO.