Options
Confused Between Different Types Of Login
foreverlearning
Member Posts: 42 ■■■□□□□□□□
Is console a type of local login?
What is the difference between "line vty login local" and "aaa local-user".
Basically I am confused between these 3 types of login methods:
1) console
2) line vty login local
3) aaa local user login
They all seem "local" to me.
I cant tell the difference.
What is the difference between "line vty login local" and "aaa local-user".
Basically I am confused between these 3 types of login methods:
1) console
2) line vty login local
3) aaa local user login
They all seem "local" to me.
I cant tell the difference.
Comments
-
OptionsTechGromit Member Posts: 2,156 ■■■■■■■■■□1) console
you have to be physically "local" to the switch to login via a console cable.
2) line vty login local
this allows IP connections to connect via ethernet, you can be in China and still connect, but your using local user name and password to access the switch.
3) aaa local user login
this allows IP connections to connect via ethernet, you can be in China and still connect, but your using local user name and password to access the switch. This is very important to set up if your using an authentication server, without this line, you can lock yourself out of the switch if your authentication server is down. Or the switch loses connection to the network. Recovery would require local access, console cable, rebooting the switch into rommon mode.
Still searching for the corner in a round room. -
Optionsforeverlearning Member Posts: 42 ■■■□□□□□□□TechGromit said:1) console
you have to be physically "local" to the switch to login via a console cable.
2) line vty login local
this allows IP connections to connect via ethernet, you can be in China and still connect, but your using local user name and password to access the switch.
3) aaa local user login
this allows IP connections to connect via ethernet, you can be in China and still connect, but your using local user name and password to access the switch. This is very important to set up if your using an authentication server, without this line, you can lock yourself out of the switch if your authentication server is down. Or the switch loses connection to the network. Recovery would require local access, console cable, rebooting the switch into rommon mode.
I am still confused because this statement is repeated for both "line vty login local" and "aaa local user login":
"this allows IP connections to connect via ethernet, you can be in China and still connect, but your using local user name and password to access the switch. "
If so, what is the difference between them? -
OptionsTechGromit Member Posts: 2,156 ■■■■■■■■■□foreverlearning said:
I am still confused because this statement is repeated for both "line vty login local" and "aaa local user login":line vty login local - this allows a virtual remote session via ethernet. This is where you can telnet to the switch from anywhere on your network, or outside your network via a VPN. Your using the local username and Password to log in.aaa local user login - this allows a virtual remote session via ethernet, but only if the aaa server isn't reachable. If the aaa server is available, your account on either a TACAC or Radius server will be used. Your using the local username and Password to log in, but this local account is disabled if the aaa server is available / reachable.Preferably ssh should be used to access the switch remotely. If you use ssh, you must add the following lines to your configip ssh version 2crypto key generate rsa modulus XX = a number can be 512, 1024, 2048, etc.line vty 0 15
access-class acl-vty-session in
transport input ssh(this restricts up to 16 virtual sessions to only allow ssh remote connections. Yes, you can have 16 simultaneous management connections to one switch, not really sure why this level of support is provided.)
Still searching for the corner in a round room. -
Optionsforeverlearning Member Posts: 42 ■■■□□□□□□□TechGromit said:foreverlearning said:
I am still confused because this statement is repeated for both "line vty login local" and "aaa local user login":line vty login local - this allows a virtual remote session via ethernet. This is where you can telnet to the switch from anywhere on your network, or outside your network via a VPN. Your using the local username and Password to log in.aaa local user login - this allows a virtual remote session via ethernet, but only if the aaa server isn't reachable. If the aaa server is available, your account on either a TACAC or Radius server will be used. Your using the local username and Password to log in, but this local account is disabled if the aaa server is available / reachable.Preferably ssh should be used to access the switch remotely. If you use ssh, you must add the following lines to your configip ssh version 2crypto key generate rsa modulus XX = a number can be 512, 1024, 2048, etc.line vty 0 15
access-class acl-vty-session in
transport input ssh(this restricts up to 16 virtual sessions to only allow ssh remote connections. Yes, you can have 16 simultaneous management connections to one switch, not really sure why this level of support is provided.)