[c-nsp] TACACS+ for console problem

Jay Hennigan jay at west.net
Mon May 31 03:53:28 EDT 2010


On 5/30/10 9:17 PM, ambedkar wrote:

> After searching in the internet, i got one solution says use the named list as below.
> 
> aaa authentication login CONSOLE line
> &
> 
> line con 0
> password cisco
> login authentication CONSOLE.
> 
> With this configuration, i am able to login the switch, but it is taking the console password instead of line password which is defined in the command.

The word "line" in that command means that it will use the password
defined for that line (in this case con 0, which is "cisco").  You could
have a different line password for the VTY if you choose.

> Then, i have tested the command :
> aaa authentication login CONSOLE none.
> 
> Which means no authentication required, but it still asking for the password, which is console password.

Try " no login" on the console line configuration if you want this
behavior.

> Then i have removed aaa commands from config mode and line console mode.
> i have used only console password. still it is working, then what is the significance of aaa commands for console.

The significance is the same as for vty lines.  If physical access to
the device and its console port is secure, many people will use local
(username and password) or line (password only) authentication for the
console so that they can configure and/or troubleshoot the box locally
if the TACACS server is unreachable or misbehaving.

--
Jay Hennigan - CCIE #7880 - Network Engineering - jay at impulse.net
Impulse Internet Service  -  http://www.impulse.net/
Your local telephone and internet company - 805 884-6323 - WB6RDV


More information about the cisco-nsp mailing list