Re: aaa authentication console problem

a.srivastav · ‎02-25-2011

Hi,

i have configured AAA on cisco swiches & routers and aaa server is open source free radius. When i try to take ssh of the switch i am able to login to the device using radius authentication. its working fine,but when i try to access switch using console it asks for the username & password & i am able to login the user mode, after then it ask for enable password, but i am not able to login using local password or radius password.

Below is the configuration of switch for AAA authentication:-

username cisco secret 5 $1$tiM.$fk18bg8A/hfumyfe6j9lS2

aaa new-model

aaa group server radius radiuss

server x.x.x.x auth-port 1812 acct-port 1813

aaa authentication login default group radiuss local

aaa authentication login CONSOLE local

aaa authentication enable default group radius

aaa authorization exec default group radius if-authenticated

aaa session-id common

radius-server host x.x.x.x auth-port 1812 acct-port 1813 key 7 01030F145726575B701A1758

line con 0

exec-timeout 5 0

password 7 0822455D0A16

login authentication CONSOLE

cadet alain · ‎02-25-2011

Hi,

take a look here:

Did you do what is explained for enable password on radius server:

http://wiki.freeradius.org/Cisco#Enable_Mode

Regards.

Alain.

Don't forget to rate helpful posts.

a.srivastav · ‎02-26-2011

thanx

andamani · ‎02-25-2011

Hi,

Please remove the following command:

aaa authentication login default group radiuss local

the above command will ensure the authentication happens at all three lines console, aux and vty.

Hope this helps,

Regards

Anisha

P.S.: Please mark this post as answered if you feel your query is answered. Do rate helpful posts.

a.srivastav · ‎02-26-2011

Thanx

a.srivastav · ‎02-26-2011

hi all ,

my problm is from telnet i can access switch via radius authentication but from CONSOLE after user mode (>) ,I AM NOT ABL TO ENTER THE priviliage mode (#) , it asks again for password , which it is not accepting any of the enable or enable secret one which i had given.

ON PREVIOUS BLOG, THERE WAS THE COMMAND FOR AAA NEW MODEL ...any guess... i read what u all gave...

andamani · ‎02-26-2011

Hi Anshuman,

That is happening because of the following command which is configured:

aaa authentication enable default group radius

You need to enter the enable password configured for the user which is used for logging in. This will be defined on the radius server.

Hope this helps.

Regards,

Anisha

P.S.: Please mark this thread as answered if you feel your query is answered. Do ra\te helpful posts.

andamani · ‎02-26-2011

Anshuman,

If you have not configured any enable password per user on the radius server then please remove the following commands and try login again.

aaa authentication enable default group radius

aaa authorization exec default group radius if-authenticated

Hope this helps.

Regards,

Anisha

P.S.: Please mark this thread as answered if you feel your query is answered. Do ra\te helpful posts.

andrewswanson · ‎02-26-2011

hello

just a thought but shouldn.t your local username:

username cisco secret 5 $1$tiM.$fk18bg8A/hfumyfe6j9lS2

be given level 15 privileges:

username cisco privilege 15 secret 5 $1$tiM.$fk18bg8A/hfumyfe6j9lS2

hth

andy