https://community.cisco.com/t5/network-access-control/aaa-login-problems-using-ssh/m-p/941834#M419567 <HTML><HEAD></HEAD><BODY><P>Keith</P><P></P><P>The additional information is quite helpful. In particular your explanation of the error is different here. In the original post you indicated that it was an authentication error. But in this post you indicate that it is an authorization error - which is quite different.</P><P></P><P>One additional question will really help us get to an understanding of this issue. When you are successful in logging in on the console (and when you attempt to SSH to the VTY) are you really authenticating with the Radius server or are you doing local authentication? (assuming that you may have set up the same user ID as a local name as what is configured in Radius I would suggest giving the local name a different password than the Radius password. this way it will be clear what is doing the authenticating).</P><P></P><P>I have seen the same error with a configuration that was very similar when the server was not authenticating. It would do local authentication and then would fail on the authorization. </P><P></P><P>Note that in this situation the console will succeed and the vty will fail because by default Cisco does not do authorization on the console and does do authorization on the vty.</P><P></P><P>In my case I fixed the issue by changing the authorization slightly. I would suggest that instead of this:</P><P>aaa authorization exec default group radius group tssi-infb.tssiapps.sed none </P><P>that you configure this:</P><P>aaa authorization exec default group radius group tssi-infb.tssiapps.sed if-authenticated </P><P></P><P>HTH</P><P></P><P>Rick</P></BODY></HTML> Fri, 16 May 2008 18:58:40 GMT Richard Burts 2008-05-16T18:58:40Z https://community.cisco.com/t5/network-access-control/aaa-login-problems-using-ssh/m-p/941830#M419563 <P>I'm having difficulty logging in to a Catalyst4948 Switch via putty with RADIUS authentication. The VTY and console lines are set for transport in ssh. I can login via the console port and authenticate with the RADIUS server. I get an authentication failed when using putty through the VTY ports</P> Sun, 10 Mar 2019 22:48:44 GMT https://community.cisco.com/t5/network-access-control/aaa-login-problems-using-ssh/m-p/941830#M419563 Sw33tpea1 2019-03-10T22:48:44Z https://community.cisco.com/t5/network-access-control/aaa-login-problems-using-ssh/m-p/941831#M419564 <HTML><HEAD></HEAD><BODY><P>Check for any VTY passwords set in the switch.As you get authentication failed message the issue might be with the keys used for authentication.If the keys mismatch then authentication fails.Also check for VTY line setup with SSH.</P></BODY></HTML> Mon, 05 May 2008 12:55:07 GMT https://community.cisco.com/t5/network-access-control/aaa-login-problems-using-ssh/m-p/941831#M419564 smahbub 2008-05-05T12:55:07Z https://community.cisco.com/t5/network-access-control/aaa-login-problems-using-ssh/m-p/941832#M419565 <HTML><HEAD></HEAD><BODY><P>Keith</P><P></P><P>The console port is for hardwired connections and as far as I know does not support SSH connection. At least on the switches I checked you can specify an output transport protocol but not an inbound transport (I do not have a 4948 to test on however). So I am not sure the fact that the console authenticates really tells us that SSH is ok.</P><P></P><P>Is it possible that the switch is configured for SSHv1 and that your putty is configured for SSHv2? There were quite a few versions of IOS that supported SSHv1 but not SSHv2.</P><P></P><P>It would help if you would post the configuration (at least the authentication parts, the SSH config, and the console and vty config).</P><P></P><P>It might help us figure out what is the problem is you would run debug ip ssh, make an effort to connect to the vty, and post the debug output.</P><P></P><P></P><P>Shumon </P><P></P><P>If it were a key mismatch how would the console be authenticating?</P><P></P><P>HTH</P><P></P><P>Rick</P></BODY></HTML> Mon, 05 May 2008 15:54:52 GMT https://community.cisco.com/t5/network-access-control/aaa-login-problems-using-ssh/m-p/941832#M419565 Richard Burts 2008-05-05T15:54:52Z https://community.cisco.com/t5/network-access-control/aaa-login-problems-using-ssh/m-p/941833#M419566 <HTML><HEAD></HEAD><BODY><P>Here's my configuration. When I go through the console port I authenticate to the RADIUS server. However, when I try using SSH through the VTY ports I get an authorization failed message.</P><P></P><P>aaa new-model</P><P>aaa group server radius tssi-infb.tssiapps.sed</P><P> server 10.100.10.45 auth-port 1645 acct-port 1646</P><P></P><P>aaa authentication login default group radius group tssi-infb.tssiapps.sed local enable</P><P></P><P>aaa authentication login aaa-fallback group radius group radius group tssi-infb.tssiapps.sed local</P><P></P><P>aaa authorization exec default group radius group tssi-infb.tssiapps.sed none</P><P></P><P>ip ssh version 2</P><P></P><P>radius-server host 10.100.10.45 auth-port 1645 acct-port 1646</P><P>radius-server key XXXXXX</P><P></P><P>line con 0 </P><P>password xxxxxx</P><P>login authentication aaa-fallback</P><P></P><P>line vty 0 4</P><P>login authentication aaa-fallback</P><P>transport input ssh</P></BODY></HTML> Fri, 16 May 2008 14:11:45 GMT https://community.cisco.com/t5/network-access-control/aaa-login-problems-using-ssh/m-p/941833#M419566 Sw33tpea1 2008-05-16T14:11:45Z https://community.cisco.com/t5/network-access-control/aaa-login-problems-using-ssh/m-p/941834#M419567 <HTML><HEAD></HEAD><BODY><P>Keith</P><P></P><P>The additional information is quite helpful. In particular your explanation of the error is different here. In the original post you indicated that it was an authentication error. But in this post you indicate that it is an authorization error - which is quite different.</P><P></P><P>One additional question will really help us get to an understanding of this issue. When you are successful in logging in on the console (and when you attempt to SSH to the VTY) are you really authenticating with the Radius server or are you doing local authentication? (assuming that you may have set up the same user ID as a local name as what is configured in Radius I would suggest giving the local name a different password than the Radius password. this way it will be clear what is doing the authenticating).</P><P></P><P>I have seen the same error with a configuration that was very similar when the server was not authenticating. It would do local authentication and then would fail on the authorization. </P><P></P><P>Note that in this situation the console will succeed and the vty will fail because by default Cisco does not do authorization on the console and does do authorization on the vty.</P><P></P><P>In my case I fixed the issue by changing the authorization slightly. I would suggest that instead of this:</P><P>aaa authorization exec default group radius group tssi-infb.tssiapps.sed none </P><P>that you configure this:</P><P>aaa authorization exec default group radius group tssi-infb.tssiapps.sed if-authenticated </P><P></P><P>HTH</P><P></P><P>Rick</P></BODY></HTML> Fri, 16 May 2008 18:58:40 GMT https://community.cisco.com/t5/network-access-control/aaa-login-problems-using-ssh/m-p/941834#M419567 Richard Burts 2008-05-16T18:58:40Z https://community.cisco.com/t5/network-access-control/aaa-login-problems-using-ssh/m-p/941835#M419568 <HTML><HEAD></HEAD><BODY><P>Rick,</P><P></P><P>Thanks again for the response. To answer your question, I do have a different username and password setup for the local than what is on the Radius. When looking at the Radius log it shows where the authorization is granted. I ran debug as well and can see the authorization mesages for the console and see the fail messages for the vty.</P><P></P><P>I will try the command you suggested and see if that fixes the problem.</P><P></P><P>Keith</P></BODY></HTML> Mon, 19 May 2008 11:16:28 GMT https://community.cisco.com/t5/network-access-control/aaa-login-problems-using-ssh/m-p/941835#M419568 Sw33tpea1 2008-05-19T11:16:28Z