AAA Authentication Question

Is there anyone who can help me make sense of this config?

When I log in I'm always prompted for a username/password.
When I authenticate via the VTY, I'm placed in priv15.
When I authenticate via the console I'm placed in user mode.
I'm using the default method list so I would expect that the same rules would apply to the VTY & Console lines.

What gives?

Config is below..
===========================================================================
aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization config-commands
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa session-id common
===========================================================================
line con 0
exec-timeout 4320 0
logging synchronous
transport output all
stopbits 1
line vty 0 4
access-class 98 in
exec-timeout 0 0
password 7 <########>
logging synchronous
length 0
full-help
transport preferred none
transport input ssh
transport output all
===========================================================================

Find more posts tagged with

Free for TechExams community: Cybersecurity salary guide

Compare cert salaries and plan your next career move

Button

Comments

DCD

Lines 2 and 3 lets you log you into the device if you have the right username and password. Lines 4 to 7 tell you what command you can uses and which privilege mode set too. Lines 8 to 10 is the accounting function for billing or security. The last one I don't know.

jude56g

I understand what lines 2 and 3 are supposed to do; I just don't understand why the login would be different between the console and vty lines if the default method list is being used i.e. (same method for both lines)

DCD

The console and VTY line are separate connection so there defaults are different. In console mode you can enter privileged mode without a password but for the VTY lines you need to configure an enable password to enter the privileged mode on the VTY lines. Second the TACACS+ server if you have one sets you privileges and commands.

These are the two lines affecting the login differences.
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
If you can show the username line in the config file and check the TACACS+ server settings.

Personally I think it set up backwards I would have console mode start at privileged 15 and the VTY start a user mode.

jude56g

Hmm, I'm still confused. You say that the VTY and CON are different so their defaults are different; where would this be defined?

jude56g

Can anyone help me sort this out?

DCD

jude56g wrote: »

Hmm, I'm still confused. You say that the VTY and CON are different so their defaults are different; where would this be defined?

You're going to have to look at your tacacs+ server configuration