In preparing standards for configs, I almost always prefer explicit commands versus implicit commands. It’s not always easy in IOS, take AAA as a case in point. I want explicit commands under the VTY’s and the Console. However I don’t want the default login to be a valid authentication type. What that means is if someone removes the authentication from the VTY/Console, it will fall back to the default which is to deny any logins. Let’s take a look at the command structure for this.
Switch(config)#aaa authentication login default ? cache Use Cached-group enable Use enable password for authentication. group Use Server-group line Use line password for authentication. local Use local username authentication. local-case Use case-sensitive local username authentication. none NO authentication. passwd-expiry enable the login list to provide password aging support radius Use RADIUS authentication. tacacs+ Use TACACS+ authentication.
There is no Null/Exempt/Block. There is none, but this prevents any authentication, effectively allowing all connections. So what do we do? We assign it a group that has no configuration. Let’s look at the rest of the AA config first.
aaa group server tacacs+ PACKETPROS-TACACS server-private 10.1.0.5 key LeTsG0BrEwErS< server-private 10.1.0.6 key LeTsG0BrEwErS ! aaa authentication login CONSOLE local aaa authentication login PP-AAA group PACKETPROS-TACACS local aaa accounting send stop-record authentication failure aaa accounting exec default start-stop group PACKETPROS-TACACS
We have two groups configured; CONSOLE an PP-AAA. CONSOLE just points to the local username database. PP-AAA points to a TACACS+ group called PACKETPROS-TACACS which has my two ISE servers in it. So now let’s set the default to a empty group.
aaa authentication login default NULL
I use the keyword of NULL, but you can put anything in you like as long as it doesn’t overwrite one of the other configured groups (CONSOLE and PP-AAA in this example). You will get an error in the log/syslog:
%AAAA-4-SERVUNDEF: The server-group "NULL" is not defined. Please define it.
If you don’t define it, it will fail authentication every single time since there are no authentication mechanisms configured. When trying to login you will receive the following on the console-
%AAA-3-BADSERVERTYPEERROR: Cannot process authentication server type *invalid_group_handle* % Authentication failed
On VTY’s you will just see % Authentication failed.
Final Configuration
aaa group server tacacs+ PACKETPROS-TACACS server-private 10.1.0.5 key LeTsG0BrEwErS server-private 10.1.0.6 key LeTsG0BrEwErS ! aaa authentication login default NULL aaa authentication login CONSOLE local aaa authentication login PP-AAA group PACKETPROS-TACACS local aaa accounting send stop-record authentication failure aaa accounting exec default start-stop group PACKETPROS-TACACS line con 0 login authentication CONSOLE line vty 0 15 login authentication PP-AAA
If there is no login authentication command under the VTY or Console, you will not be able to login via that method so be careful!