Disable Aaa-Based Authentication For Console; Disable Tacacs+ Authentication At The Context Level; Limit Local-User Login On Console/Vty Lines - Cisco ASR 5500 System Administration Manual
Hide thumbs
Also See for ASR 5500:
- Administration manual (410 pages) ,
- Installation manual (192 pages) ,
- Installation procedure overview (6 pages)
Table of Contents
Advertisement
System Settings
Disable AAA-based Authentication for Console
A noconsole keyword for the Global Configuration mode local-user allow-aaa-authentication command
disables AAA-based authentication on the Console line.
configure
local-user allow-aaa-authentication noconsole
exit
Since local-user authentication is always performed before AAA-based authentication and local-user
allow-aaa-authentication noconsole is enabled, the behavior is the same as if no local-user
allow-aaa-authentication is configured. There is no impact on vty lines.
Important
Disable TACACS+ Authentication at the Context Level
When you enable aaa tacacs+ in the Global Configuration mode, TACACS+ authentication is automatically
applied to all contexts (local and non-local). In some network deployments you may wish to disable TACACS+
services for a specific context(s).
You can use the no aaa tacacs+ Context Configuration command to disable TACACS+ services within a
context.
configure
context ctx_name
Use the aaa tacacs+ Context Configuration command to enable TACACS+ services within a context where
it has been previously disabled.
Important
Limit local-user Login on Console/vty Lines
As a security administrator when you create a StarOS user you can specify whether that user can login through
the Console or vty line. The [ noconsole | novty ] keywords for the Global Configuration mode local-user
username command support these options.
configure
local-user username <username> [ noconsole | novty ]
exit
The noconsole keyword prevents the user from logging into the Console port. The novty keyword prevents
the user from logging in via an SSH or telnet session. If neither keyword is specified access to both Console
and vty lines is allowed.
This command does not apply for a Trusted build because the local-used database is unavailable.
no aaa tacacs+
AAA TACACS+ services must be enabled in the Global Configuration mode (all contexts) before you
can selectively disable the services at the context level. You cannot selectively enable TACACS+ services
at the context level when it has not been enabled globally.
Disable AAA-based Authentication for Console
ASR 5500 System Administration Guide, StarOS Release 21.5
45
Advertisement
Table of Contents
Troubleshooting
