AAA Authentication Question
jude56g
Member Posts: 107 ■■■□□□□□□□
Is there anyone who can help me make sense of this config?
When I log in I'm always prompted for a username/password.
When I authenticate via the VTY, I'm placed in priv15.
When I authenticate via the console I'm placed in user mode.
I'm using the default method list so I would expect that the same rules would apply to the VTY & Console lines.
What gives?
Config is below..
===========================================================================
aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization config-commands
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa session-id common
===========================================================================
line con 0
exec-timeout 4320 0
logging synchronous
transport output all
stopbits 1
line vty 0 4
access-class 98 in
exec-timeout 0 0
password 7 <########>
logging synchronous
length 0
full-help
transport preferred none
transport input ssh
transport output all
===========================================================================
When I log in I'm always prompted for a username/password.
When I authenticate via the VTY, I'm placed in priv15.
When I authenticate via the console I'm placed in user mode.
I'm using the default method list so I would expect that the same rules would apply to the VTY & Console lines.
What gives?
Config is below..
===========================================================================
aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization config-commands
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa session-id common
===========================================================================
line con 0
exec-timeout 4320 0
logging synchronous
transport output all
stopbits 1
line vty 0 4
access-class 98 in
exec-timeout 0 0
password 7 <########>
logging synchronous
length 0
full-help
transport preferred none
transport input ssh
transport output all
===========================================================================
Comments
-
DCD Member Posts: 475 ■■■■□□□□□□Lines 2 and 3 lets you log you into the device if you have the right username and password. Lines 4 to 7 tell you what command you can uses and which privilege mode set too. Lines 8 to 10 is the accounting function for billing or security. The last one I don't know.
-
jude56g Member Posts: 107 ■■■□□□□□□□I understand what lines 2 and 3 are supposed to do; I just don't understand why the login would be different between the console and vty lines if the default method list is being used i.e. (same method for both lines)
-
DCD Member Posts: 475 ■■■■□□□□□□The console and VTY line are separate connection so there defaults are different. In console mode you can enter privileged mode without a password but for the VTY lines you need to configure an enable password to enter the privileged mode on the VTY lines. Second the TACACS+ server if you have one sets you privileges and commands.
These are the two lines affecting the login differences.
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
If you can show the username line in the config file and check the TACACS+ server settings.
Personally I think it set up backwards I would have console mode start at privileged 15 and the VTY start a user mode. -
jude56g Member Posts: 107 ■■■□□□□□□□Hmm, I'm still confused. You say that the VTY and CON are different so their defaults are different; where would this be defined?
-
DCD Member Posts: 475 ■■■■□□□□□□Hmm, I'm still confused. You say that the VTY and CON are different so their defaults are different; where would this be defined?
You're going to have to look at your tacacs+ server configuration