topic Unexpected AAA Behavior in Lab Setup in Network Access Control https://community.cisco.com/t5/network-access-control/unexpected-aaa-behavior-in-lab-setup/m-p/1382571#M323050 <P>I have attatched the config for my lab router in its entirety.&nbsp; The lab is air-gapped so I'm not scrubbing anything from its config.&nbsp; I configured some example server groups, and the servers are dummy servers to force a failed connection so that my understanding of the processing of an aaa authentication list is validated.&nbsp; My final login option is local, and I have a user with privilege level 15 specified.&nbsp; However, when I configured the telnet lines to use my list configured as 'RADIUS', I got an error stating that the list didn't exist.&nbsp; But when you look at the config, it is there on the vty lines.&nbsp; Also, when I login via telnet, I am not in privileged mode and I have to enter it manually.&nbsp; Below is the output on the router as I configured my aaa new-model:</P><P></P><P>3825_Lab(config)#aaa group server radius RADIUS_PRIMARY<BR />3825_Lab(config-sg-radius)#server 192.168.200.2<BR />3825_Lab(config-sg-radius)#exit<BR />3825_Lab(config)#aaa group server radius RADIUS_BACKUP<BR />3825_Lab(config-sg-radius)#server 192.168.200.3<BR />3825_Lab(config-sg-radius)#exit<BR />3825_Lab(config)#aaa group server tacacs+ TACACS_PRIMARY<BR />3825_Lab(config-sg-tacacs+)#server 192.168.200.4<BR />3825_Lab(config-sg-tacacs+)#exit<BR />3825_Lab(config)#aaa group server tacacs+ TACACS_BACKUP<BR />3825_Lab(config-sg-tacacs+)#server 192.168.200.5<BR />3825_Lab(config-sg-tacacs+)#exit<BR />3825_Lab(config)#aaa authentication login RADIUS group RADIUS_PRIMARY group RADIUS_BACKUP local<BR />3825_Lab(config)#aaa authentication login TACACS group TACACS_PRIMARY group TACACS_BACKUP local<BR />3825_Lab(config)#lin vty 0 4<BR />3825_Lab(config-line)#login authentication RADIUS<BR />AAA: Warning authentication list "RADIUS" is not defined for LOGIN.&nbsp; &lt;-----------------&nbsp; Huh?&nbsp; Didn't I just create that list 4 lines previous?</P><P></P><P>From the 'show run' it is applied to the interface:</P><P><BR />line vty 0 4<BR /> logging synchronous<BR /> login authentication RADIUS</P><P></P><P>Since my server groups are dummy groups, it should fail the radius lookup due to no server response and fall back to 'local' authentication.&nbsp; So why when I telnet in do I get dropped into 'user exec' mode rather than 'privileged exec' mode?&nbsp; My username statement is:</P><P></P><P>username admin privilege 15 password 0 admin</P><P></P><P>Any suggestions?</P><P></P><P>Regards,<BR />Scott</P> Sun, 10 Mar 2019 23:50:42 GMT Scott Pickles 2019-03-10T23:50:42Z Unexpected AAA Behavior in Lab Setup https://community.cisco.com/t5/network-access-control/unexpected-aaa-behavior-in-lab-setup/m-p/1382571#M323050 <P>I have attatched the config for my lab router in its entirety.&nbsp; The lab is air-gapped so I'm not scrubbing anything from its config.&nbsp; I configured some example server groups, and the servers are dummy servers to force a failed connection so that my understanding of the processing of an aaa authentication list is validated.&nbsp; My final login option is local, and I have a user with privilege level 15 specified.&nbsp; However, when I configured the telnet lines to use my list configured as 'RADIUS', I got an error stating that the list didn't exist.&nbsp; But when you look at the config, it is there on the vty lines.&nbsp; Also, when I login via telnet, I am not in privileged mode and I have to enter it manually.&nbsp; Below is the output on the router as I configured my aaa new-model:</P><P></P><P>3825_Lab(config)#aaa group server radius RADIUS_PRIMARY<BR />3825_Lab(config-sg-radius)#server 192.168.200.2<BR />3825_Lab(config-sg-radius)#exit<BR />3825_Lab(config)#aaa group server radius RADIUS_BACKUP<BR />3825_Lab(config-sg-radius)#server 192.168.200.3<BR />3825_Lab(config-sg-radius)#exit<BR />3825_Lab(config)#aaa group server tacacs+ TACACS_PRIMARY<BR />3825_Lab(config-sg-tacacs+)#server 192.168.200.4<BR />3825_Lab(config-sg-tacacs+)#exit<BR />3825_Lab(config)#aaa group server tacacs+ TACACS_BACKUP<BR />3825_Lab(config-sg-tacacs+)#server 192.168.200.5<BR />3825_Lab(config-sg-tacacs+)#exit<BR />3825_Lab(config)#aaa authentication login RADIUS group RADIUS_PRIMARY group RADIUS_BACKUP local<BR />3825_Lab(config)#aaa authentication login TACACS group TACACS_PRIMARY group TACACS_BACKUP local<BR />3825_Lab(config)#lin vty 0 4<BR />3825_Lab(config-line)#login authentication RADIUS<BR />AAA: Warning authentication list "RADIUS" is not defined for LOGIN.&nbsp; &lt;-----------------&nbsp; Huh?&nbsp; Didn't I just create that list 4 lines previous?</P><P></P><P>From the 'show run' it is applied to the interface:</P><P><BR />line vty 0 4<BR /> logging synchronous<BR /> login authentication RADIUS</P><P></P><P>Since my server groups are dummy groups, it should fail the radius lookup due to no server response and fall back to 'local' authentication.&nbsp; So why when I telnet in do I get dropped into 'user exec' mode rather than 'privileged exec' mode?&nbsp; My username statement is:</P><P></P><P>username admin privilege 15 password 0 admin</P><P></P><P>Any suggestions?</P><P></P><P>Regards,<BR />Scott</P> Sun, 10 Mar 2019 23:50:42 GMT https://community.cisco.com/t5/network-access-control/unexpected-aaa-behavior-in-lab-setup/m-p/1382571#M323050 Scott Pickles 2019-03-10T23:50:42Z Re: Unexpected AAA Behavior in Lab Setup https://community.cisco.com/t5/network-access-control/unexpected-aaa-behavior-in-lab-setup/m-p/1382572#M323062 <HTML><HEAD></HEAD><BODY><P>You may need to adjust somthing with the authorization settings. aaa authorization exec RADIUS group RADIUS_PRIMARY group RADIUS_BACKUP local maybe?</P></BODY></HTML> Mon, 14 Dec 2009 16:40:41 GMT https://community.cisco.com/t5/network-access-control/unexpected-aaa-behavior-in-lab-setup/m-p/1382572#M323062 rtjensen4 2009-12-14T16:40:41Z