This should be a no-brainer for anyone preparing for the CCIE lab exam (I'll not elaborate why, but you could guess), but here it is for the benefits of everyone else: if you want to enable AAA on Cisco IOS but still retain local usernames (at least for the console access), this is how you do it:
- Define local usernames with username xxx password yyy command (I would prefer the secret option if your IOS supports it).
- Configure aaa new-model.
- Configure a named AAA authentication list with the aaa authentication login MyList local.
- Attach the named AAA authentication list to the console line with the login authentication MyList command.
Note: this article is part of You've asked for it series.
Posts
5 comments:
If you use the default list you don't have to make any changes to the Console or VTY lines. They will automatically use the default aaa list. For example:
aaa new-model
aaa authentication login default group local
You can also use this in your corporate network:
aaa new-model
aaa authentication login default group TACACS+ local
No passwords on lines, no authentication commands on lines. Nice and clean.
if i have two local users , and want to restrict one of them to telnet access ,how can i do that ?
i mistakenly configure AAA client (Cisco Catalyst 3560) without
aaa authentication login default group tacacs+ LOCAL
and a local user name and password is existing on device but now i could not access that switch..
niether through remote access / console port.
so is there any way to recover password for that switch?
Thanks in advance
The first link will probably give you what you need:
http://www.google.com/search?q=catalyst+3560+recover+password
When you configure aaa authentication login MyList local, does the Radius server have to be configured with the group name "MyList" also? In addition, I have aaa configured as:
radius-server host 111.111.111.111
radius-server host 222.222.222.222
radius-server key PASSWORDXXXXXXXXXXXXXXXXXX
aaa new-model
aaa authenication login default radius local
With these configs in place and the necessary configs on the server, I am able to log into the devices via ssh but can no longer console into devices locally. Do I need to add:
Line con 0
login auth default
Will this allow me to log in via the console port and authenticate via radius if necessary?
Also, I have an emergency username configured at priv level 0 secret. if AAA fails, will I still be able to access the device as login local is no longer an option under line con 0 since aaa has been configured.
This blog is using JS-Kit comments. You have to enable JavaScript if you want to post a comment.