03-03-2009 05:35 AM - edited 03-10-2019 04:22 PM
Or remove them. Good morning. My goal is to one or two internal logins on each Cisco device and then allow Radius authentication for telnet or SSH?
Is there a simple way to do this on a Cisco Device?
Thanks
Dwane
Solved! Go to Solution.
03-03-2009 08:38 AM
Oh I see what you mean, use local authentication when radius fail! You almost go it right.
aaa authentication login LINE1 group radius local
line vty 0 4 "or"
line vty 0 15
login authentication LINE1
03-03-2009 07:44 AM
Hi Dwane, what you mean is that you want to first 2 connections via telnet or SSH to be authenticated via the LOCAL database and the subsequent connections to be authenticated via a RADIUS server? I think this can be done only on devices that use the line vty connections.
Since the line VTY numbers go from 0 to 15, you can configure each line separately unsing for example something like this:
aaa authentication login LINE1_2 local
aaa authenticaiton login LINE3_16 group radius
line vty 0
login authentication LINE1_2
line vty 1
login authentication LINE1_2
line vty 2 15
login authentication LINE3_16
The way this works is that when you initially telnet/SSH to your router, it will be connected to the line vty 0 line using the LOCAL authentication same applies to line 1, once you have used both line 0 and line 1 and you try to use line 2 those will be placed under line vty 2 which is authenticating via a radius.
Note radius authentication will only apply or kick in if the the previous lines are used.
HTH
Ivan
03-03-2009 08:34 AM
No, what I would like to do is only be able to authenticate via Radius Authentication and if Radius authentication fails, I would liek to be able to use a local username.
I see what you are saying, but I think what I need to do is create
aaa authentication login LINE1 radius local
line vty 0
login authentication LINE1
line vty 1
login authentication LINE1
line vty 2 15
login authentication LINE1
This will work, right?
03-03-2009 08:38 AM
Oh I see what you mean, use local authentication when radius fail! You almost go it right.
aaa authentication login LINE1 group radius local
line vty 0 4 "or"
line vty 0 15
login authentication LINE1
03-03-2009 08:40 AM
Ivan,
Thank you. Now one last quick question, when I create a username and give them a privilege of 15, that should give them enable-mode capabilities, correct?
Dwane
03-03-2009 08:47 AM
You need to configure authorization as well to make this happen:
aaa authorization exec LINE1 group radius local
line vty 0 15
authorization exec LINE1
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide