Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1563
Views
0
Helpful
4
Replies

AAA Config and console login

Roger Base
Level 1
Level 1

‎05-14-2015 12:58 PM - edited ‎03-12-2019 05:45 PM

I just implemented some AAA config in the switch configuration so all my telnet users are validated by ISE. But now it looks like the config also affected the console login which was not intended.. How should I implement this without affecting the console login? 

 

SW1#show run   
Building configuration...

Current configuration : 4221 bytes
!
version 12.2
no service pad
no service timestamps debug uptime
no service timestamps log uptime
no service password-encryption
!
hostname SW1
!
boot-start-marker
boot-end-marker
!
logging buffered informational
logging monitor informational
!
!
!
aaa new-model
!
!
aaa group server radius ISE
 server-private X.X.X.X auth-port 1645 acct-port 1646 key cisco
 ip radius source-interface Loopback0
!
aaa authentication login default group ISE local
aaa authorization exec default group ISE local 
aaa authorization network default group ISE local 
!
interface Loopback0
 ip address X.X.X.X 255.255.255.255
!
line con 0
 exec-timeout 0 0
 logging synchronous level 0 limit 20
line vty 0 4
 logging synchronous
line vty 5 15
!
end

 

Labels:
0 Helpful
4 Replies 4

Karsten Iwen
VIP
VIP

‎05-14-2015 02:18 PM

You can configure an extra authentication and authorization-rule for the console.

For authentication it could look like the following:

aaa authentication login LOCAL-ENA enable
line con 0
  login authentication LOCAL-ENA

 

0 Helpful

Roger Base
Level 1
Level 1
In response to Karsten Iwen

‎05-14-2015 02:48 PM

Hi Karsten, 

I actually just solved by making my own rules instead of using default values.

Before

aaa authentication login default group ISE local
aaa authorization exec default group ISE local 
aaa authorization network default group ISE local  

After:

aaa authentication login MYLOGIN group ISE local
aaa authorization exec MYEXEC group ISE local 
aaa authorization network MYNETWORK group ISE local  

 

I am trying to figure how to get rid these two  default commands now... Maybe you know the answer...

aaa authentication dot1x default group ISE
aaa authorization network default group ISE 

My dot1X stops working If I make my own dot1x values like aaa authentication dot1x MYDOTX group ISE and aaa authorization network MYNETWORK group ISE . So I am trying to figure this out... 

 

 

0 Helpful

Karsten Iwen
VIP
VIP
In response to Roger Base

‎05-14-2015 03:05 PM

The commands 

aaa authentication dot1x default group ISE
aaa authorization network default group ISE

are part of a .1x implementation and should stay in your config if you still want to use .1x. But for other functions like login you can use named authentication- and authorization-lists if you need to. But in your first post you say you want to authenticate telnet-users by ISE, but not the console-users. For that you can keep the general login configured with the default-command and youst use a named authentication-list for your console as shown.

Or what exactly do you want to achieve?

 

0 Helpful

jkuehl
Level 1
Level 1
In response to Karsten Iwen

‎05-21-2015 07:48 AM

i added this command

aaa authorization console

 

I have not had any issues with logging in since.

0 Helpful
Customers Also Viewed These Support Documents