Solved: Can't Console to device after configuration AAA

Jason Regan · ‎06-04-2013

I've been implementing ISE into my environment and since configuring my devices to authenticate against the server I h ave not been able to connect to the devices using the Console connection.

Below is a snippet of the config for the device.

username local-admin privilege 15 password 7 06205F334868591A1004

aaa new-model

!

aaa group server radius ISE_Servers

server 10.200.1.19 auth-port 1645 acct-port 1646

server 10.200.2.19 auth-port 1645 acct-port 1646

!

aaa authentication login default group ISE_Servers local

aaa authentication enable default group ISE_Servers enable

aaa authorization exec default group ISE_Servers local if-authenticated

aaa accounting send stop-record authentication failure

aaa accounting exec default start-stop group ISE_Servers

aaa accounting connection default start-stop group ISE_Servers

radius-server host 10.200.1.19 auth-port 1645 acct-port 1646 key 7 0231504919570126581E0754241411585951

radius-server host 10.200.2.19 auth-port 1645 acct-port 1646 key 7 097B1A1B0B5419151F5C0A670A272B606077

!

line con 0

exec-timeout 0 0

password 7 1068590B013142081917

line vty 0 4

password 7 096A1E1B1D2347111E1F

length 0

line vty 5 15

password 7 096A1E1B1D2347111E1F

!

Any assistance and/or advice would be greatly appreciated.

Thanks

Jatin Katyal · ‎06-04-2013

ISE_Servers is a name of radius-server group. He actually applied a default method-list.

aaa authentication login default group ISE_Servers local

Jatin Katyal
- Do rate helpful posts -

~Jatin

View solution in original post

Jatin Katyal · ‎06-04-2013

What error message are you getting on ISE live authentication section?

aaa authentication login default group ISE_Servers local

The above command applies AAA on all the lines including console.

Would you like to exempt console from authentication. Do you have access to the device through telnet/ssh in case we need to make some changes or run the debugs?

Jatin Katyal
- Do rate helpful posts -

~Jatin

nspasov · ‎06-04-2013

I think the problem is that you have created AAA authentication methods but you are not referencing/calling them in your console and vty sessions.

Try adding this and let me know what happens:

line con 0

login authentication ISE_Servers

Thank you for rating!

Jatin Katyal · ‎06-04-2013

ISE_Servers is a name of radius-server group. He actually applied a default method-list.

aaa authentication login default group ISE_Servers local

Jatin Katyal
- Do rate helpful posts -

~Jatin

nspasov · ‎06-04-2013

Ahh, you are absolutely correct! I misread the statement. So yes, the default group is being used. Please ignore my previous comment.

Jason Regan · ‎06-05-2013

Thanks Jatin,

That is what the problemwas along with not applying to the VTY lines which left the Authentication as a global setting rather than per line.

Thanks agin for your help

Jason

Jatin Katyal · ‎06-05-2013

so have you now applied the method list on console line and exempt it from the AAA authentication.

Is that working now? All set?

Jatin Katyal
- Do rate helpful posts -

~Jatin

Jason Regan · ‎06-06-2013

I've applied the Authentication to the VTY and just local login for the Console

All working now, many thanks

Jatin Katyal · ‎06-06-2013

Glad. Good day ahead!

Jatin Katyal
- Do rate helpful posts -

~Jatin