AAA Authentication Question

jude56gjude56g Member Posts: 107 ■■■□□□□□□□
in CCNA Security
Is there anyone who can help me make sense of this config?

When I log in I'm always prompted for a username/password.
When I authenticate via the VTY, I'm placed in priv15.
When I authenticate via the console I'm placed in user mode.
I'm using the default method list so I would expect that the same rules would apply to the VTY & Console lines.

What gives?

Config is below..
===========================================================================
aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization config-commands
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa session-id common
===========================================================================
line con 0
exec-timeout 4320 0
logging synchronous
transport output all
stopbits 1
line vty 0 4
access-class 98 in
exec-timeout 0 0
password 7 <########>
logging synchronous
length 0
full-help
transport preferred none
transport input ssh
transport output all
===========================================================================
· Share on FacebookShare on Twitter

Comments

  • DCDDCD Member Posts: 473 ■■■■□□□□□□
    Lines 2 and 3 lets you log you into the device if you have the right username and password. Lines 4 to 7 tell you what command you can uses and which privilege mode set too. Lines 8 to 10 is the accounting function for billing or security. The last one I don't know.
    · Share on FacebookShare on Twitter
  • jude56gjude56g Member Posts: 107 ■■■□□□□□□□
    I understand what lines 2 and 3 are supposed to do; I just don't understand why the login would be different between the console and vty lines if the default method list is being used i.e. (same method for both lines)
    · Share on FacebookShare on Twitter
  • DCDDCD Member Posts: 473 ■■■■□□□□□□
    The console and VTY line are separate connection so there defaults are different. In console mode you can enter privileged mode without a password but for the VTY lines you need to configure an enable password to enter the privileged mode on the VTY lines. Second the TACACS+ server if you have one sets you privileges and commands.

    These are the two lines affecting the login differences.
    aaa authorization commands 1 default group tacacs+ if-authenticated
    aaa authorization commands 15 default group tacacs+ if-authenticated
    If you can show the username line in the config file and check the TACACS+ server settings.

    Personally I think it set up backwards I would have console mode start at privileged 15 and the VTY start a user mode.
    · Share on FacebookShare on Twitter
  • jude56gjude56g Member Posts: 107 ■■■□□□□□□□
    Hmm, I'm still confused. You say that the VTY and CON are different so their defaults are different; where would this be defined?
    · Share on FacebookShare on Twitter
  • jude56gjude56g Member Posts: 107 ■■■□□□□□□□
    Can anyone help me sort this out?
    · Share on FacebookShare on Twitter
  • DCDDCD Member Posts: 473 ■■■■□□□□□□
    jude56g wrote: »
    Hmm, I'm still confused. You say that the VTY and CON are different so their defaults are different; where would this be defined?

    You're going to have to look at your tacacs+ server configuration
    · Share on FacebookShare on Twitter
Sign In or Register to comment.