Reviews:
 ·Optimum Online
 ·Verizon Online DSL
| Adding users to local DB in a 2950 Any particular reason why it seems like I can only add a local user to a 2950 via console line only and not via vty?
I did aaa new-model and created a list that authenticates against local switch database. If I add a user via console it works, if I do it via telnet authentication fails.
Mebbe I'm tired
 |
|
| Can you put up the full config for review Network Guy?
Regards |
|
Reviews:
·Optimum Online
·Verizon Online DSL
| Here ya go...
Current configuration : 3979 bytes
!
version 12.1
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname HOMENET_MAIN
!
aaa new-model
aaa authentication login homenet_admins local
enable secret 5 xxx
!
username ocintron privilege 15 secret 5 xxx
ip subnet-zero
!
ip domain-name homenet.local
!
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
!
!
!
!
interface FastEthernet0/1
switchport mode access
switchport nonegotiate
spanning-tree portfast
spanning-tree guard root
!
interface FastEthernet0/2
switchport mode access
switchport nonegotiate
spanning-tree portfast
spanning-tree guard root
!
interface FastEthernet0/3
switchport mode access
switchport nonegotiate
spanning-tree portfast
spanning-tree guard root
!
interface FastEthernet0/4
switchport mode access
switchport nonegotiate
spanning-tree portfast
spanning-tree guard root
!
interface FastEthernet0/5
switchport mode access
switchport nonegotiate
spanning-tree portfast
spanning-tree guard root
!
interface FastEthernet0/6
switchport mode access
switchport nonegotiate
spanning-tree portfast
spanning-tree guard root
!
interface FastEthernet0/7
switchport mode access
switchport nonegotiate
spanning-tree portfast
spanning-tree guard root
!
interface FastEthernet0/8
switchport mode access
switchport nonegotiate
spanning-tree portfast
spanning-tree guard root
!
interface FastEthernet0/9
switchport mode access
switchport nonegotiate
spanning-tree portfast
spanning-tree guard root
!
interface FastEthernet0/10
switchport mode access
switchport nonegotiate
spanning-tree portfast
spanning-tree guard root
!
interface FastEthernet0/11
switchport mode access
switchport nonegotiate
spanning-tree portfast
spanning-tree guard root
!
interface FastEthernet0/12
switchport mode access
switchport nonegotiate
spanning-tree portfast
spanning-tree guard root
!
interface FastEthernet0/13
switchport mode access
switchport nonegotiate
spanning-tree portfast
spanning-tree guard root
!
interface FastEthernet0/14
switchport mode access
switchport nonegotiate
spanning-tree portfast
spanning-tree guard root
!
interface FastEthernet0/15
switchport mode access
switchport nonegotiate
spanning-tree portfast
spanning-tree guard root
!
interface FastEthernet0/16
switchport mode access
switchport nonegotiate
spanning-tree portfast
spanning-tree guard root
!
interface FastEthernet0/17
switchport mode access
switchport nonegotiate
spanning-tree portfast
spanning-tree guard root
!
interface FastEthernet0/18
switchport mode access
switchport nonegotiate
spanning-tree portfast
spanning-tree guard root
!
interface FastEthernet0/19
switchport mode access
switchport nonegotiate
spanning-tree portfast
spanning-tree guard root
!
interface FastEthernet0/20
switchport mode access
switchport nonegotiate
spanning-tree portfast
spanning-tree guard root
!
interface FastEthernet0/21
switchport mode access
switchport nonegotiate
spanning-tree portfast
spanning-tree guard root
!
interface FastEthernet0/22
switchport mode access
switchport nonegotiate
spanning-tree portfast
spanning-tree guard root
!
interface FastEthernet0/23
switchport mode access
switchport nonegotiate
spanning-tree portfast
spanning-tree guard root
!
interface FastEthernet0/24
switchport mode access
switchport nonegotiate
spanning-tree portfast
spanning-tree guard root
!
interface GigabitEthernet0/1
switchport access vlan 50
switchport mode access
shutdown
!
interface GigabitEthernet0/2
switchport access vlan 50
switchport mode access
shutdown
!
interface Vlan1
ip address 10.17.12.14 255.255.255.0
no ip route-cache
!
ip http server
!
line con 0
password 7 xxx
line vty 0 4
password 7 xxx
line vty 5 14
password 7 xxx
line vty 15
password 7 xxx
!
!
end
|
|
jh2010
join:2009-09-03
Brooklyn, NY | reply to Network Guy
What is the error message? Are you in enable mode when you try to add the users? |
|
Reviews:
·Optimum Online
·Verizon Online DSL
| If I fire up a telnet connection as shown below...
User Access Verification
HOMENET_MAIN>en
Password:
HOMENET_MAIN#conf t
Enter configuration commands, one per line. End with CNTL/Z.
HOMENET_MAIN(config)#username newuserviatelnet priv ?
<0-15> User privilege level
HOMENET_MAIN(config)#username newuserviatelnet priv 7 secret 0 newuserpass
HOMENET_MAIN(config)#exit
HOMENET_MAIN#copy run start
Destination filename [startup-config]?
Building configuration...
[OK]
HOMENET_MAIN#quit
Connection to host lost.
And attempt to logon as the newly created user specified in the prompts above, I get this...
User Access Verification
Username: newuserviatelnet
Password:
% Authentication failed.
Username:
If I add a different user via console cable and hyperterminal as shown below...
HOMENET_MAIN>en
Password:
HOMENET_MAIN#conf t
Enter configuration commands, one per line. End with CNTL/Z.
HOMENET_MAIN(config)#username newuserviaconsole priv 7 secret 0 newuserpass
HOMENET_MAIN(config)#exit
HOMENET_MAIN#copy run start
Destination filename [startup-config]?
14:30:49: %SYS-5-CONFIG_I: Configured from console by console
Building configuration...
[OK]
HOMENET_MAIN#
And attempt to logon as the newly created user specified in the prompts above, the logon works as shown below.
User Access Verification
Username: newuserviaconsole
Password:
HOMENET_MAIN>
Same exact syntax; one fails, one succeeds. Only difference between the telnet session and the console session is the user prompt on logon. I use the same enable secret to configure the usernames and passwords I showed above.
Weird huh? |
|
jh2010
join:2009-09-03
Brooklyn, NY | reply to Network Guy
You are missing the following
line vty 0 15
login |
|
Reviews:
·Optimum Online
·Verizon Online DSL
| Alright.. Added the login param to the vty lines. No difference.
I guess I'm having a hard time figuring out how IOS knows to associate newuserviatelnet to the auth list homenet_admins. Or maybe I need to stop thinking like a Windows guy with respect to user accounts and security groups.
line vty 0 4
password 7 xxx
login authentication homenet_admins
line vty 5 14
password 7 xxx
login authentication homenet_admins
line vty 15
password 7 xxx
login authentication homenet_admins
!
!
end
|
|
Reviews:
·Optimum Online
·Verizon Online DSL
| reply to jh2010
Alright, I think I got it.
aaa authentication login method1 local is used simply to login a user via vty to the switch or router using local switch/router database. To access privileged commands, you'd still need to use enable secret or setup aaa authorization.
Right? |
|
| reply to Network Guy
Nobody? |
|
| reply to Network Guy
yes that is correct, you will need to specify authorization
aaa new-model
aaa authentication login default local
aaa authorization exec default local
aaa authorization network default local
!
line vty 0 15
password 7 xxx
priviledge level 15
!
|
|
|
|
Reviews:
·Optimum Online
·Verizon Online DSL
| reply to ladino
Re: Adding users to local DB in a 2950Alright, but how do I associate a user to an authorization list for pertinent exec permissions?
The only command that I think works for adding users is the one below but this doesn't tie the user account to an authorization list.
username newuser priv 5 secret 0 newuserpass
So I suppose the way it works is... I would add a user and assign a privilege level. If the privilege level of this created user doesn't match or is lower than what is set on the interface, then router denies access? |
|
