telnet not working after aaa new-model command

[octavian10]

I have asked this question before and have yet to resolve it. I first noticed this when I set up a 2600 to act as a vpn server. Before I configured this router I had vty line access with the Login Local command. After the vpn configuration the router disabled login local and will not let me reapply it, as a mater of fact it will not let me apply any login command to the vty line, hence I no longer have telnet access to this router. I worked on this a little on a test router and determined that as soon as I run the aaa new-model command this vty issue occurs. Not a big deal because I can vpn to this network and run VNC on a machine that has the console cable hooked up, but I still whant to understand why it is doing this.
Thanks for your time.

"I hear and I forget. I see and I remember. I do and I understand."
- Confucius (551 BC - 479)

 

[ADB100]

When you enable aaa new-model the command 'login authentication default' gets applied to the vty lines. If this isn't defined or is defined but is set so it won't work for login then it will screw things up. Add the following to your config:

aaa authentication login default local
aaa authentication enable default enable

This should restore the original behaviour with local login (users defined in global config) and the locally configured enable password or secret.

HTH

Andy

 

[jneiberger]

You've sort of answered your own question. The "login local" command is unavailable once you configure AAA. If you want to have similar functionality, configure a local AAA database, e.g. "username foo password bar". Then, configure AAA authentication to look at your local database.

HTH,
John

 

[octavian10]

Hey ADB100 I applied your commands and now when I telnet to the router the localy defined usename and password get to the router> prompt but when I run the enable command I get back % Error in authentication. What elese do I need to do?

"I hear and I forget. I see and I remember. I do and I understand."
- Confucius (551 BC - 479)

 

[ADB100]

I don't think you need anything else. It may be an authorisation issue? try this:

aaa authorization exec if-authenticated

If that doesn't work then I would suggest a debug to see what the routers doing when you try to enter enable:

debug aaa authentication
debug aaa authorization

HTH

Andy

 

[jneiberger]

This is happening because you have this configured:

aaa authentication enable default enable

That instructs the router to use the default AAA scheme when someone tries to enter enable mode. Do you actually want AAA to handle enable mode authentication? If not, remove that line and you'll be able to use the enable secret or enable password to get into enable mode.

 

[ADB100]

Actually the line:

aaa authentication enable default enable

Means if you attempt to get to enable mode it uses the enable password/secret. If it was set to something like:

aaa authentication enable group tacacs+

Then it would attempt to use the configured tacacs+ servers.

router(config)#aaa authentication enable default ?
enable Use enable password for authentication.
group Use Server-group
line Use line password for authentication.
none NO authentication.

Andy

 

[jneiberger]

Oh, yep, you're right. I was reading it wrong. I shouldn't be answering questions in the morning before I've had any coffee.