Cisco AAA is a very important security tool to restrict access to your network equipments to only those who are Network administrators. It is an important topic for CCIE Lab and in real life as well. The problem with Network Security is that sometimes due to human error, the network gets so secured that even the Network Administrator does not get access to the equipments. To make such a mistake is very easy because not many people know what exactly goes on after enabling AAA. In this blog, we will look into ways of enabling AAA and possible ways to get out of lock out if there was a proper exit strategy.
Enabling AAA and getting locked out
Enabling AAA is pretty straightforward. Just go to config mode and type aaa new-model. With this command AAA is enabled and you are secured. So you log out of your telnet session and when you try to access it once again, it asks you for username and password. But you have not enabled anything in AAA and have not set username and password, so why is it asking for the login credentials. The reason it is asking is because the moment you enter aaa new-model, it enables local authentication by default bypassing the line vty password. So how do we enter a username and password, when there is none in the router? This is the first way we locked ourself out. When the router is asking for username and password, somehow you will have to enter username and password into the router.
If you have console access, go to config mode and enter username and password. If you are away from your equipment, the only other option you have is to enter it through snmp (you have to be very lucky if you have set a read write snmp community on your remote router). There is a tool called Cisco snmp tool and it is a freeware. Set the ip address of the router and the snmp read write string and you can upload the username and the password to the router. You just have to write “username cisco password cisco” on the config window and click on configuration>configuration>upload>running config. This will set a username and password of cisco on the router using which you can login to the device.
Getting locked out again
So instead of logging out after the command aaa new-model, you type aaa authentication login default local and logout. Now you are in an even bigger problem because now the local authentication is defaulted to both vty and console terminals. If you access your console, you will be asked for username and password which obviously is not there. The only way out of this is if you are lucky, through the previously mentioned snmp recovery or through cisco password recovery which will require you to take console access and reboot the router.
Tips for CCIE Lab
The repercussion of a wrongly configured AAA is even severe in CCIE Lab. What may seem like a harmless configuration can lock you out of the router or even worse, will lock the proctor out of the router and hence stop him from assessing you. Generally one form of AAA comes in the lab. It could be configuring AAA for ppp authentication, for http authentication or for login authentication. The guidelines of the Lab tell us that no passwords can be changed. This means that if your password for telnet and console is cisco, then it has to be so at the end of the lab. If there are no passwords on vty and console, then there must be no password at the end of the lab. When configuring AAA, by default, these would get changed. If the task for ppp authentication is a named list then the console password remains the same i.e. enable if enable password is set or blank if it not set. If the AAA named list of ppp authentication or any other authentication is “default”, then this changes the console and vty password to local. This is in violation of the guidelines. The way we can retain the line passwords is by using named list for AAA and applying it to line console or line vty. If there was no authentication on the console, then use “aaa authentication login CON none” and apply it to the line console 0 with the command “login authentication CON”. If there was an authentication on the console, then use “aaa authentication login CON line” and apply it to the line console 0 with the command “login authentication CON”. If you are asked for vty password to remain unchanged, use the same command as for console on the vty line.
I hope my post has been helpful in your life but the only guide which can help you in the hereafter is the Qur’an. You can download the English translation of the Qur’an here.