Cisco IOS – How to View Default Authentication Method for Different Lines

aaaauthenticationciscocisco-iosSecurity

For example if I enable AAA(aaa new-model) in IOS router with default configuration and try to log in over console line(cty), then there is no authentication. However, if I try to log in over telnet(vty), then I'm authenticated against local user database. Now if I specify TACACS+ server with tacacs-server host 10.10.10.3 key passwd and enable TACACS+ authentication with aaa authentication login default group tacacs+, then both cty and vty start using TACACS+ authentication. Now if I disable AAA(no aaa new-model), then vty expects me to have at least line password while cty has no authentication by default. As this isn't already confusing enough, the enable mode over console line requires no authentication by default while in case of telnet is does. This all makes me wonder if there is a show command which displays authentication method for different lines? For example in case the AAA is enabled but no TACACS+ authentication is configured, it would show with sh line vty 0 auth that vty lines expect local user database authentication while at the same time sh line console 0 auth would show that no authentication is required. However, I'm afraid that such show command does not exist and one has to check the configuration and know the defaults by heart.

Best Answer

I can sympathize, IOS authentication mechanisms are not simple to understand.

The closest command that does what you want is show aaa method-lists authentication. However, this command is not really bullet-proof for the purposes of auditing system login authentication methods.

Example usage:

For example, let's suppose we have a switch with the following configuration:

username cisco password cisco
aaa new-model
aaa authentication login default local
aaa authorization exec default local if-authenticated
!
line con 0
 exec-timeout 15 0
!
line vty 0 4
 exec-timeout 15 0

When I run show aaa method-lists authentication, I see that the default method is the only one used, but it doesn't enumerate console, aux, or line vty...

rt#sh aaa method-lists authentication
authen queue=AAA_ML_AUTHEN_LOGIN
  name=default valid=TRUE id=0 :state=ALIVE : LOCAL
  ^^^^^^^^^^^^       ^^^^                     ^^^^^
authen queue=AAA_ML_AUTHEN_ENABLE
authen queue=AAA_ML_AUTHEN_PPP
authen queue=AAA_ML_AUTHEN_SGBP
authen queue=AAA_ML_AUTHEN_ARAP
authen queue=AAA_ML_AUTHEN_DOT1X
authen queue=AAA_ML_AUTHEN_8021X
authen queue=AAA_ML_AUTHEN_EAPOUDP
permanent lists
  name= Permanent Enable None valid=TRUE id=0 :state=ALIVE : ENABLE  NONE 
  name= Permanent Enable valid=TRUE id=0 :state=ALIVE : ENABLE 
  name= Permanent None valid=TRUE id=0 :state=ALIVE : NONE 
  name= Permanent Local valid=TRUE id=0 :state=ALIVE : LOCAL 
  name= Permanent rcmd valid=TRUE id=0 :state=ALIVE : RCMD 

rt#

Now we can go in and configure a bogus login method on line con 0...

rt1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
rt1(config)#line con 0
rt1(config-line)#login authentication FOOBAR
AAA: Warning authentication list "FOOBAR" is not defined for LOGIN.

rt1(config-line)#do show aaa method-lists authentication | i FOOBAR
rt1(config-line)#  ! <-------------  *Nothing here*

However, if I now configure that auth list, it shows up...

rt1(config)#aaa authentication login FOOBAR local
rt1(config)#do show aaa method-lists authentication | i FOOBAR
  name=FOOBAR valid=TRUE id=6F000002 :state=ALIVE : LOCAL 
rt1(config)#

All that to say, you're mostly out of luck for a one-command does-it-all solution. The best thing you could do is write an audit script; ciscoconfparse can assist with these kind of tasks (full-disclosure, I wrote that library for exactly this kind of problem).

Related Topic