Enabling AAA New-Model Must Know

Hello Followers,

I received an email from a Cisco user that goes as follows:

Can you use the password configured on a VTY line as the method of authentication when AAA is enabled??

Here is the answer:

A/ Yes, this can be done and it’s in fact a best practice if you enable AAA authentication on a device but you do not want to use any authentication method-list for the VTY lines or Console ones.

Example:

Let’s say we enabled AAA on our router as we are planning to configure dot1x authentication in our network.

aaa new-model

aaa authentication dot1x test group radius

Cool, we just enabled aaa new-model but what’s up with that?

In the background a few things will happen:

As soon as we enable aaa-new model, all of the lines (except for the console) will start using local authentication even if you have a password set into the vty lines.

For example:

What if we do not have a username or password defined?

Well.. you will not be able to login without one!

So when you enable aaa new-model make sure you have a username and password locally defined or make sure you are not going to authenticate the VTY lines (and if you have a password on them make sure the password on the line is used for the authentication method).

Let’s cover both options here:

1)Using no authentication for the lines:

aaa authentication login default none

line vty 0 4
login authentication default

2)Using the line password as the authentication mechanism

aaa authentication login default line

line vty 0 4
password cisco

That’s it!!

iNetworks