06-24-2013 04:13 AM - edited 03-10-2019 08:34 PM
Hi,
I have configured RADIUS authentication for VTY access to a Catalyst 2960S running 15.0(2)SE2.
The RADIUS server is a Microsoft server running the Network Policy and Access Service role (Microsoft's own RADIUS server).
Everything is ok apart from the login prompts. I want to customise these with a banner, username prompt and password prompt. I have added the lines below to my config:
aaa authentication banner ^Chello^C
aaa authentication password-prompt "Enter your password:"
aaa authentication username-prompt "Enter your username:"
However when I ssh to the switch I just see the output below:
login as: james.hawkins
Using keyboard-interactive authentication.
Password:
ASWTRE-BF01#
My config is shown below:
!
aaa authentication banner ^Chello^C
aaa authentication password-prompt "Enter your password:"
aaa authentication username-prompt "Enter your username:"
aaa authentication login default local-case
aaa authentication login SSH group radius local-case
aaa authentication enable default enable
aaa authorization exec default local
aaa authorization exec SSH group radius local
!
radius server TREREC-01
address ipv4 10.3.32.51 auth-port 1812 acct-port 1813
key 7 08171E61K281D08461C
!
!
!
line con 0
logging synchronous
line vty 0 4
exec-timeout 360 0
authorization exec SSH
logging synchronous
login authentication SSH
transport input ssh
line vty 5 15
exec-timeout 360 0
authorization exec SSH
logging synchronous
login authentication SSH
transport input ssh
!
Is there anything that I am missing?
07-08-2013 06:34 AM
James ,
I tried doing the same at my end .
I was able to see the banners with the above configuration .Can you please check if you have the enable secret defined .
And try to do telnet/ssh from some router/switch connected to the same device .
Keyboard authentication prompt is a client setting .
Best Regards ,
Tushar Gaba .
07-11-2013 01:12 AM
James:
you use the line:
aaa authentication login SSH group radius local-case
are you sure that the RADIUS is reachable? if the radius is not reachable it will check the local DB for the username. I am not pretty sure if local DB auth displays the banner.
Rating useful replies is more useful than saying "Thank you"
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide