hey guys - i figured I'd share a few stumbling points I ran into yesterday during my AAA lab practices. never a dull moment!
andrew #1 - adding a "verb" command followed by an "adjective" always seems to auto-fill the parent command with just the "verb". I couldn't find anything on it, except by reading between the lines in the lab's solution guide. and THEN i came across this little gem inside the IOS Securing User Services guide: privilege exec level 7 configure terminal ! *! the privilege exec level 7 configure command below is entered automatically * *! when you enter the privilege exec level 7 configure terminal command above, do* *! not enter it again* ! privilege exec level 7 configure so it would seem that . i think the ipexpert instructors' mantra of test your solutions thoroughly really pays off in situations like this. for instance, the first go round, i had gotten the "show" commands right, but the "configure" ones i added in with different privilege levels (gave "configure" level 10 and "configure terminal" level 5). #2 - is it required to do all those complicated steps to get the Cisco Trust Agent to load and run properly? i tried to follow along with the VOD on that task since i have zero experience with CTA, but i was having lots of problems getting the program to even open properly :/ . 1. disable wired auto-config service in services - would we need to play with services in the lab? 2. import ACS cert via CLI - can't we just use IE to install the cert into the root store? does the client require a server certificate to launch? 3. connect to client via VNC - i'm pretty sure i understand why we need this - but i can't remember if there is VNC in the lab or not? #3 - after configuring AAA local command authorization, i was unable to authorize use of enable mode for a RADIUS-authed user. i don't know if this was a bug, or an order of operations issue, but of course after a reload everything worked as expected with no config changes at all... let me know if i missed anything the first time!?! specifically this was lab task 5.4 i believe. R8(config)#do sh run | s user|aaa|vty aaa new-model aaa authentication login default none aaa authentication login VTY_ACCESS group radius local aaa authorization exec default none aaa authorization exec VTY_ACCESS local aaa accounting exec VTY_ACCESS action-type start-stop group radius aaa session-id common username raduser1 privilege 15 password 0 !pexpert123 username raduser2 privilege 5 password 0 !pexpert123 line vty 0 4 authorization exec VTY_ACCESS accounting exec VTY_ACCESS login authentication VTY_ACCESS line vty 5 15 authorization exec VTY_ACCESS accounting exec VTY_ACCESS login authentication VTY_ACCESS !!! failed authorization attempt to use "enable" command after succesful remote RADIUS authentication !!! *Feb 25 23:50:00.299: AAA/AUTHOR: auth_need : user= 'raduser1' ruser= 'R8'rem_addr= '10.2.2.5' priv= 0 list= '' AUTHOR-TYPE= 'command'* Feb 25 23:50:00.299: AAA: parse name=tty515 idb type=-1 tty=-1 Feb 25 23:50:00.299: AAA: name=tty515 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=515 channel=0 *Feb 25 23:50:00.299: AAA/MEMORY: create_user (0x496634A4) user='raduser1' ruser='NULL' ds0=0 port='tty515' rem_addr='10.2.2.5' authen_type=ASCII service=ENABLE priv=15 initial_task_id='0', vrf= (id=0)* Feb 25 23:50:00.299: AAA/AUTHEN/START (2869037845): port='tty515' list='VTY_ACCESS' action=LOGIN service=ENABLE R8(config)# *Feb 25 23:50:00.299: AAA/AUTHEN/START (2869037845): non-console enable - default to enable password* *Feb 25 23:50:00.299: AAA/AUTHEN/START (2869037845): Method=ENABLE* *Feb 25 23:50:00.299: AAA/AUTHEN(2869037845): can't find any passwords* Feb 25 23:50:00.299: AAA/AUTHEN(2869037845): Status=ERROR *Feb 25 23:50:00.299: AAA/AUTHEN/START (2869037845): no methods left to try* Feb 25 23:50:00.299: AAA/AUTHEN(2869037845): Status=ERROR *Feb 25 23:50:00.299: AAA/AUTHEN/START (2869037845): failed to authenticate* *Feb 25 23:50:00.299: AAA/MEMORY: free_user (0x496634A4) user='raduser1' ruser='NULL' port='tty515' rem_addr='10.2.2.5' authen_type=ASCII service=ENABLE priv=15 vrf= (id=0)* * * * *
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
