1 1

Added by Mark Jacob October 21, 2015

It has been a long time since I have thought about aaa new-model as a Cisco configuration, mainly because it is not in the CCNA Routing and Switching official curriculum. However, once you attain your certification and become gainfully employed as a network admin, you will likely be exposed to enterprise networks which employ this method of controlling remote access to the Cisco gear. In this blog I will provide an introductory to look at how this command impacts login activities on a couple of Cisco routers.

I labbed it up in GNS3, and here is a view of my topology:

Figure 1

As you can see, I am fond of annotating my topologies, both to follow proper documentation procedures, and also to remind myself what I was doing the next time I launch this topology! I have the Windows 7 box running in Oracle Virtual Box (check out my GNS3 VirtualBox video blog on how to do this if you wish, as the process is similar for Windows 7) just to be able to initiate remote connections to my two routers, so let’s log in to R2. I have a username/password configured and I have issued the command login local on my vty lines. Let’s see what credentials I must supply to gain access:

Figure 2

As is typical, there is no output to the console when typing the password, nevertheless, I must have typed it correctly to gain access. Once again, this is with a username/password and login local configured. On R3, all I have on my vty lines is a password and the login command. Let’s see the difference in the login procedure:

Figure 3

As you can see, I was only required to provide a password – there was no request for a valid user name. The password that I typed was the word ‘login’. Now I will access R3 and from global configuration mode I will issue the command aaa new-model. Then I will examine the config on my vty lines:

Figure 4

Note that the configuration on my vty lines only mentions the password, which I stated previously was the word ‘login.’

Let’s log in again and see what ONLY THAT CHANGE does to the login process:

Figure 5

Now I am once again required to provide both a user name and a password to gain access. Incidentally, the password of “login” no longer works. I must use the password (secret) associated with the user name netadmin in order to pass authentication.

There is much much more that can be done once you have enabled aaa new-model, but as I said, I just wanted to scratch the surface and show that just typing the command with no additional configuration will have an impact on the device. That being said, don’t forget to create the username/password combination so that once you have issued the command, you are still able to remotely access the device.

If you have questions or comments, please feel free to post them!

Until next time…

Mark Jacob
Cisco and CompTIA Network + Instructor – Interface Technical Training
Phoenix, AZ