What does aaa new-model do to your Cisco logins?
What does aaa new-model do to your Cisco logins?
It has been a long time since I have thought about aaa new-model as a Cisco configuration, mainly because it is not in the CCNA Routing and Switching official curriculum. However, once you attain your certification and become gainfully employed as a network admin, you will likely be exposed to enterprise networks which employ this method of controlling remote access to the Cisco gear. In this blog I will provide an introductory to look at how this command impacts login activities on a couple of Cisco routers.
I labbed it up in GNS3, and here is a view of my topology:
Figure 1
As you can see, I am fond of annotating my topologies, both to follow proper documentation procedures, and also to remind myself what I was doing the next time I launch this topology! I have the Windows 7 box running in Oracle Virtual Box (check out my GNS3 VirtualBox video blog on how to do this if you wish, as the process is similar for Windows 7) just to be able to initiate remote connections to my two routers, so let’s log in to R2. I have a username/password configured and I have issued the command login local on my vty lines. Let’s see what credentials I must supply to gain access:
Figure 2
As is typical, there is no output to the console when typing the password, nevertheless, I must have typed it correctly to gain access. Once again, this is with a username/password and login local configured. On R3, all I have on my vty lines is a password and the login command. Let’s see the difference in the login procedure:
Figure 3
As you can see, I was only required to provide a password – there was no request for a valid user name. The password that I typed was the word ‘login’. Now I will access R3 and from global configuration mode I will issue the command aaa new-model. Then I will examine the config on my vty lines:
Figure 4
Note that the configuration on my vty lines only mentions the password, which I stated previously was the word ‘login.’
Let’s log in again and see what ONLY THAT CHANGE does to the login process:
Figure 5
Now I am once again required to provide both a user name and a password to gain access. Incidentally, the password of “login” no longer works. I must use the password (secret) associated with the user name netadmin in order to pass authentication.
There is much much more that can be done once you have enabled aaa new-model, but as I said, I just wanted to scratch the surface and show that just typing the command with no additional configuration will have an impact on the device. That being said, don’t forget to create the username/password combination so that once you have issued the command, you are still able to remotely access the device.
If you have questions or comments, please feel free to post them!
Until next time…
Mark Jacob
Cisco and CompTIA Network + Instructor – Interface Technical Training
Phoenix, AZ
You May Also Like
aaa new-model, authentication, Cisco, credentials, GNS3, login, remote access, telnet, Virtual Box
A Simple Introduction to Cisco CML2
0 3804 0Mark Jacob, Cisco Instructor, presents an introduction to Cisco Modeling Labs 2.0 or CML2.0, an upgrade to Cisco’s VIRL Personal Edition. Mark demonstrates Terminal Emulator access to console, as well as console access from within the CML2.0 product. Hello, I’m Mark Jacob, a Cisco Instructor and Network Instructor at Interface Technical Training. I’ve been using … Continue reading A Simple Introduction to Cisco CML2
Cable Testers and How to Use them in Network Environments
0 694 1This content is from our CompTIA Network + Video Certification Training Course. Start training today! In this video, CompTIA Network + instructor Rick Trader demonstrates how to use cable testers in network environments. Let’s look at some tools that we can use to test our different cables in our environment. Cable Testers Properly Wired Connectivity … Continue reading Cable Testers and How to Use them in Network Environments
How to create a Cisco IOS Banner – Login and MOTD Message of the Day
0 4290 4In this video, Cisco CCNA instructor Mark Jacob shows how to create a Login and Message of the Day (MOTD) banners in Cisco IOS. The Banner is an interesting feature of the Cisco IOS. You could probably get by without it, but in a commercial environment you want to have it.
Pingback: How to Add RADIUS to Your Cisco Logins