Announcement

Collapse
No announcement yet.

AAA Problem with User-Based Login to Cisco Router

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • AAA Problem with User-Based Login to Cisco Router

    I'm having troubles trying to setup my router, so I can know who login and set privilege levels for certain users.

    I can log in with both username tsignal32 and tsignal33. However, every time I telnet into my router using the username tsignal33, the user suppose to connect via vty line 1 with only previlege level 3.

    Unfortunately, tsignal33 is connecting via vty 0 with privilege level 15.


    I can log on to tsignal32 via vty 0 with privilege level 15 successfully.

    I guess I did not configured aaa new-model correctly when I configured tsignal32 with line
    vty 0, and tsignal33 with line vty 1

    Below is the reference, and my router's running-config:


    http://articles.techrepublic.com.com...0-1055545.html




    Username: tsignal33
    Password:

    Router#sh user
    Line User Host(s) Idle Location
    * 66 vty 0 tsignal33 idle 00:00:00 192.168.2.18

    Interface User Mode Idle Peer Address

    Router#sh privilege
    Current privilege level is 15
    Router#sh runn
    Building configuration...

    Current configuration : 1233 bytes
    !
    version 12.2
    service timestamps debug uptime
    service timestamps log uptime
    service password-encryption
    !
    hostname Router
    !
    aaa new-model
    aaa authentication login user-list local
    enable secret 5 $1$AS6E$8ROsj/chEcjKjIW87YLfT/
    !
    username tsignal32 privilege 15 password 7 04580A040324484F1E1E
    username tsignal33 privilege 3 password 7 134F5D310A011406242A2F6261
    ip subnet-zero
    !
    !
    !
    call rsvp-sync
    !
    !

    interface Ethernet0/0
    description WAN
    ip address 192.168.4.221 255.255.255.0
    ip nat outside
    full-duplex
    !
    interface Ethernet0/1
    ip address 192.168.1.1 255.255.255.0
    ip nat inside
    full-duplex
    !
    ip nat pool OVRLD 192.168.4.221 192.168.4.221 prefix-length 24
    ip nat inside source list 7 pool OVRLD overload
    ip classless
    ip route 0.0.0.0 0.0.0.0 Ethernet0/0
    ip http server
    !
    access-list 7 permit 192.168.1.0 0.0.0.255
    !
    dial-peer cor custom
    !
    !

    privilege configure level 15 config
    privilege configure level 3 ntp
    !
    line con 0
    password 7 130616100709002B3C23
    line aux 0
    line vty 0
    privilege level 15
    password 7 110A18071B170F0D132D
    login authentication user-list
    line vty 1
    privilege level 3
    password 7 110A18071B170F0D132D
    login authentication user-list
    line vty 2 4
    password 7 110A18071B170F0D132D
    !
    end

    Router#

  • #2
    Re: AAA Problem with User-Based Login to Cisco Router

    Hi tsignal32

    To achieve your objective run the following commands

    In Global Config Mode
    no aaa new-model
    no aaa authentication login user-list local
    no privilege configure level 15 config


    Under line vty 0
    no privilege level 15
    no login authentication user-list
    login local

    Under line vty 1
    no privilege level 3
    no login authentication user-list
    login local

    Under line vty 2 4
    login local

    I am not sure what is happening with the [B]aaa[B] configuration but with the configuration shown here you will achieve what you want.

    User tsignal33 will be automatically placed into privilege level 3 when logs on

    R2#telnet 172.16.4.1
    Trying 172.16.4.1 ... Open


    User Access Verification

    Username: tsignal33
    Password:
    R1#sh priv
    Current privilege level is 3
    R1#


    User tsignal32 will be automatically placed into privilege level 15 when he logs on

    R2#telnet 172.16.4.1
    Trying 172.16.4.1 ... Open


    User Access Verification

    Username: tsignal32
    Password:
    R1#sh priv
    Current privilege level is 15
    R1#


    Tested this using IOS 12.2 on a 7206VXR in dynamips


    HTH


    Best Regards,

    Michael

    Comment


    • #3
      Re: AAA Problem with User-Based Login to Cisco Router

      Michael,

      Thanks Ė for the input. Itís working now. You have been very helpful, and patient with resolving my issues.

      Iím looking at standardizing the controlled access to large networks of Cisco Routers and Switches using Access Control Server (ACS) Software such as Ciscoís ACS, CiscoSecure ACS or any other ACS software via AAA TACAS+. Do you know of any open source software other than those mentioned?

      I would like to use the reference below to achieve this, but its does not seem in detail:

      http://articles.techrepublic.com.com...ag=rbxccnbtr1#

      Any recommendations on this option?

      Thanks
      Tsignal32

      Comment


      • #4
        Re: AAA Problem with User-Based Login to Cisco Router

        Hi There

        Can I ask if it is working with the "aaa" statements or without?

        If it is with the "aaa" statements I would be interested to know what you had ot do to get it to work?

        Afraid I can't really help with your question regarding open source ACS software. I do not have a lot of Cisco equipment where I work and the only method of access control in place is user access control.


        Best Regards,

        Michael

        Comment


        • #5
          Re: AAA Problem with User-Based Login to Cisco Router

          Michael,

          Its working without AAA.

          Thanks - For you help
          tsignal32

          Comment

          Working...
          X