Configure AAA authentication for Cisco devices!

Lab device:
One cisco 3640 router, one PC, one Console cable, and one crossover cable
Tutorial topology:

Experiment process:
Step 1: log on to the vro through the console cable, and use the Super Terminal or SecureCRT to complete basic configuration. At the same time, connect the cross-line to the vroe1 E1/0. t. Configure the IP address 192.168.10.1 on the PC interface, mask 255.255.255.0
Router & gt; enable
Router # conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router (config) # no ip domain-lookup
Router (config) # line console 0
Router (config-line) # no exec-t
Router (config-line) # logg syn
3640 (config) # host R3640
R3640 (config) # int e1/0
R3640 (config-if) # ip add 192.168.10.3 255.255.255.0
R3640 (config-if) # no sh
R3640 (config-if) # end
* Mar 1 00:02:02. 499: % SYS-5-CONFIG_ I: Configured from console by console
R3640 # pinging 192.168
* Mar 1 00:02:03. 659: % LINK-3-UPDOWN: Interface Ethernet1/0, changed state to up
* Mar 1 00:02:04. 659: % LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet1/0, changed state to up
R3640 # ping 192.168.10.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.1, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 12/32/44 MS
Step 2: Enable AAA and configure logon verification as local
R3640 # conf t
Enter configuration commands, one per line. End with CNTL/Z.
R3640 (config) # aaa?
New-model Enable NEW access control commands and functions. (Disables OLD
Commands .)
R3640 (config) # aaa new-model enable AAA globally
R3640 (config) # aaa authentication login? When a user logs on, the AAA authentication function is enabled, and the name called during authentication is defined as the default "default", or the user can define one
WORD Named authentication list.
Default The default authentication list.
R3640 (config) # aaa authentication login default? Specify the authentication method
Enable Use enable password for authentication. Use the privileged password
Group Use Server-group uses Radius or Tacacs + Protocol
Krb5 Use Kerberos 5 authentication. Use Kerberos
The krb5-telnet Allow logins only if already authenticated via Kerberos V
Telnet.
Line Use line password for authentication. line authentication
Local Use local username authentication. You must configure the user name and password for local authentication.
Local-case Use case-sensitive local username authentication.
None NO authentication. NO authentication is performed.
Configure the aaa local login authentication method when a user logs on to the device. The name of the authentication call is default and the authentication method is local.
R3640 (config) # aaa authentication login default local
The username and password used for local logon. The password I configured is the MD5-encrypted secret password. High security. The display in show running-config is ciphertext. It is not recommended to configure the plaintext user name and password, for example (R3640 (config) # username admin password admin)
It is recommended that the password be more complex. It must be case sensitive, special characters, and numbers. The password length must be greater than 8 characters. For example, P @ ssw0rd
R3640 (config) # username nousername secret nopassword
Step 3: enable authentication debugging and observe the debug Phenomenon
R3640 # debug aaa authentication
AAA Authentication debugging is on
R3640 #
Step 4: 1. Use telnet on the PC to remotely log on to the vrotelnet

Step 5: 2. Enter the login username and password nopassword. The entered password is not displayed. Otherwise, the password is called. After the login is successful, the current vro user mode is displayed. It indicates that we have completed the authentication function of aaa, and did not configure the VTY password, but used aaa for authentication.

Step 6: 3. Enter enable and try to enter privileged mode. The router prompts the following authentication error. Why?

Step 7: Check the debug phenomenon on the vro when you enter enable and try to log on.
R3640 #
* Mar 1 00:38:49. 347: AAA: parse name = tty130 idb type =-1 tty =-1
* Mar 1 00:38:49. 347: AAA: name = tty130 flags = 0x11 type = 5 shelf = 0 slot = 0 adapter = 0 port = 130 channel = 0
* Mar 1 00:38:49. 347: AAA/MEMORY: create_user (0x6000010bc) user = 'nousername' (logon username and password) ruser = 'null' ds0 = 0 port = 'tty130 'rem_addr = '2017. 168.10.1 '(pc ip address) authen_type = ASCII service = ENABLE priv = 15 initial_task_id = '0', vrf = (id = 0)
* Mar 1 00:38:49. 351: AAA/AUTHEN/START (509980843): port = 'tty130 'list = ''action = LOGIN service = ENABLE enter enable (no enable password)
* Mar 1 00:38:49. 351: AAA/AUTHEN/START (509980843): non-console enable-default to enable password
* Mar 1 00:38:49. 351: AAA/AUTHEN/START (509980843): Method = ENABLE
R3640 #
* Mar 1 00:38:49. 351: AAA/AUTHEN (509980843): can't find any passwords no enable Password Found
* Mar 1 00:38:49. 351: AAA/AUTHEN (509980843): Status = ERROR (authentication Status ERROR)
* Mar 1 00:38:49. 351: AAA/AUTHEN/START (509980843): no methods left to try
* Mar 1 00:38:49. 351: AAA/AUTHEN (509980843): Status = ERROR
* Mar 1 00:38:49. 351: AAA/AUTHEN/START (509980843): failed to authenticate authentication failed because enable password is not configured
* Mar 1 00:38:49. 355: AAA/MEMORY: free_user (0x6000010bc) user = 'nousername' ruser = 'null' port = 'tty130 'rem_addr = '2017. 168.10.1 'authen_type = ASCII service = ENABLE priv = 15 vrf = (id = 0)
R3640 #
Step 7: configure the enable password on the vro if you want to log on remotely to the privileged mode. If you want a prawn to be active only in the user mode, it is not suitable for the moment, but it is not unscientific to have no enable. You cannot guarantee that you never need to remotely debug the vro, if you need to try it out, you must use the enable password to access it, as shown in figure 4,

Step 8: 5. Enter the configured enable secret password to log on to the privileged mode.

Why are the following error messages prompted:
R3640 & gt; enable
Password:
% Access denied
R3640 & gt; enable
Password:
% Password: timeout expired!
% Error in authentication.
Enter the enable password. When the privileged mode is enabled, the authentication debug message is displayed.
* Mar 1 00:51:26. 719: AAA/MEMORY: free_user (0x63D5B984) user = 'null' ruser = 'null' port = 'tty130 'rem_addr = '2017. 168.10.1 'authen_type = ASCII service = ENABLE priv = 15 vrf = (id = 0)
R3640 #
* Mar 1 00:51:30. 667: AAA: parse name = tty130 idb type =-1 tty =-1
* Mar 1 00:51:30. 667: AAA: name = tty130 flags = 0x11 type = 5 shelf = 0 slot = 0 adapter = 0 port = 130 channel = 0
* Mar 1 00:51:30. 667: AAA/MEMORY: create_user (0x63D5B984) user = 'nousername' ruser = 'null' ds0 = 0 port = 'tty130 'rem_addr = '2017. 168.10.1 'authen_type = ASCII service = ENABLE priv = 15 initial_task_id = '0', vrf = (id = 0)
* Mar 1 00:51:30. 667: AAA/AUTHEN/START (2028066283): port = 'tty130 'list = ''action = LOGIN service = ENABLE
* Mar 1 00:51:30. 671: AAA/AUTHEN/START (2028066283): non-console enable-default to enable password
* Mar 1 00:51:30. 671: AAA/AUTHEN/START (2028066283): Method = ENABLE
R3640 #
* Mar 1 00:51:30. 671: AAA/AUTHEN (2028066283): Status = GETPASS certified
R3640 #
* Mar 1 00:51:37. 599: AAA/AUTHEN/CONT (2028066283): continue_login (user = '(undef )')
* Mar 1 00:51:37. 599: AAA/AUTHEN (2028066283): Status = GETPASS
* Mar 1 00:51:37. 599: AAA/AUTHEN/CONT (2028066283): Method = ENABLE
* Mar 1 00:51:37. 623: AAA/AUTHEN (2028066283): Status = PASS
* Mar 1 00:51:37. 623: AAA/MEMORY: free_user (0x63D5B984) user = 'null' ruser = 'null' port = 'tty130 'rem_addr = '2017. 168.10.1 'authen_type = ASCII service = ENABLE priv = 15 vrf = (id = 0)
R3640 #
Step 9: We verified remote login just now, and then verified whether the local login authentication method can be used to log on from the console interface, as shown in 6: a prompt is displayed, indicating that the user name and password are required.

Step 10: enter the correct user name and password
* Mar 1 00:51:26. 719: AAA/MEMORY: free_user (0x63D5B984) user = 'null' ruser = 'null' port = 'tty130 'rem_addr = '2017. 168.10.1 'authen_type = ASCII service = ENABLE priv = 15 vrf = (id = 0)
R3640 #
* Mar 1 00:51:30. 667: AAA: parse name = tty130 idb type =-1 tty =-1
* Mar 1 00:51:30. 667: AAA: name = tty130 flags = 0x11 type = 5 shelf = 0 slot = 0 adapter = 0 port = 130 channel = 0
* Mar 1 00:51:30. 667: AAA/MEMORY: create_user (0x63D5B984) user = 'nousername' ruser = 'null' ds0 = 0 port = 'tty130 'rem_addr = '2017. 168.10.1 'authen_type = ASCII service = ENABLE priv = 15 initial_task_id = '0', vrf = (id = 0)
* Mar 1 00:51:30. 667: AAA/AUTHEN/START (2028066283): port = 'tty130 'list = ''action = LOGIN service = ENABLE
* Mar 1 00:51:30. 671: AAA/AUTHEN/START (2028066283): non-console enable-default to enable password
* Mar 1 00:51:30. 671: AAA/AUTHEN/START (2028066283): Method = ENABLE
R3640 #
* Mar 1 00:51:30. 671: AAA/AUTHEN (2028066283): Status = GETPASS
R3640 #
* Mar 1 00:51:37. 599: AAA/AUTHEN/CONT (2028066283): continue_login (user = '(undef )')
* Mar 1 00:51:37. 599: AAA/AUTHEN (2028066283): Status = GETPASS
* Mar 1 00:51:37. 599: AAA/AUTHEN/CONT (2028066283): Method = ENABLE
* Mar 1 00:51:37. 623: AAA/AUTHEN (2028066283): Status = PASS
* Mar 1 00:51:37. 623: AAA/MEMORY: free_user (0x63D5B984) user = 'null' ruser = 'null' port = 'tty130 'rem_addr = '2017. 168.10.1 'authen_type = ASCII service = ENABLE priv = 15 vrf = (id = 0)
After entering the privileged mode, the user level is 15. What is the user level? Which command can be used to view your current mode?
Summary:
There are two methods to configure local logon authentication:
Example 1: 7

Type 2: 8

In the second configuration method, the name of the authentication call is customized. Therefore, the call can only be performed under the console and VTY interfaces. The first type of configuration has fewer commands. If the logon authentication name is "default", you do not need to call it again on the VTY and Console, the local name default is queried when the authentication is performed. If the configuration authentication is user-defined, for example, "hackerjx", you must call the authentication on the VTY and Console to pass the authentication. Otherwise, no security authentication is performed on the console when you log on from the console.
However, there is no need to configure both local authentication methods for AAA configuration on a single device. You can configure them as needed.