Hi there, I have a question with regards to using aaa-new model and local user authentication with an access-class. Specifically - does the access-class get ignored when using aaa-new model with local authentication?
I have it somewhat ingrained to use "aaa-new model" all the time and now I'm thinking I should probably modify this behaviour but would appreciate some advice. Within the first step of Task 17.4 there is a directive to create the username 'local' with the password of 'ipexpert' and outbound telnet sessions should not be allowed. I know that this configuration works: no aaa new-model username local access-class 99 password ipexpert access-list 99 deny any line vty 0 4 login local What I don't understand is why this doesn't appear to work when aaa new-model is operating - it appears to simply authenticate the user but not associate the access-class with them, so they can happily telnet out: aaa new-model aaa authentication login default local aaa authentication enable default enable username local access-class 99 password ipexpert access-list 99 deny any line vty 0 4 login authentication default One alternative I did try that partially works is to look at setting command privileges: aaa new-model aaa authentication login default local aaa authentication enable default enable no ip domain-lookup privilege exec level 2 telnet username local privilege 1 password ipexpert line vty 0 4 login authentication default This removes the telnet command from the the local user since their priv is too low, however they can just type an IP address in the command line and still make a telnet connection. The simple answer seems to be "don't use aaa new-model in these situations" I would just like to know if what I am seeing is expected behaviour or perhaps I am missing a line of config to get similar behaviour with "aaa-new model" Cheers, Adam
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
