06-10-2013 01:44 AM - edited 03-10-2019 08:31 PM
I'm running various Cicso devices with IOS 15.x
I've configured AAA and Radius:
aaa new-model
!
!
aaa authentication login default group radius local
aaa authorization exec default group radius if-authenticated
aaa accounting exec default start-stop group radius
aaa accounting system default start-stop group radius
radius server foo
address ipv4 192.168.1.1 auth-port 1812 acct-port 1813
key 7 ..
When everything is running fine, I can login either via SSH or via the local console and use my radius authentication.
But when there is a problem (e.g. router not connected to network) I'm unable to login to the console. In fact, I'm unable to even get a login prompt! All I get is:
User Access Verification
% Authentication failed
% Authentication failed
% Authentication failed
Which is scrolled off the screen.
I do have a local user configured:
username myadmin privilege 15 secret 5 ...
If the Radius server is offline (but the box is on the network) I can SSH in with the backup username/password. But if the box is not connected to the network at all, I can't get it at all! I end up having to reboot and bypass the local config :-(
What do I need to change, to get a console login prompt when the network is down ?
Thanks,
GTG
06-10-2013 06:46 AM
Could you please attach the complete running-config?
Jatin Katyal
- Do rate helpful posts -
06-10-2013 07:08 AM
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname cnh-vgway-2
!
boot-start-marker
boot-end-marker
!
!
card type e1 0 0
card type e1 0 1
logging buffered 51200 warnings
!
aaa new-model
!
aaa authentication login default group radius local
aaa authorization exec default group radius if-authenticated
aaa accounting exec default start-stop group radius
aaa accounting system default start-stop group radius
!
aaa session-id common
clock timezone GMT 0 0
clock summer-time BST recurring last Sun Mar 1:00 last Sun Oct 2:00
!
no ipv6 cef
ip source-route
ip cef
!
ip domain name acme.com
multilink bundle-name authenticated
!
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-2066324434
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2066324434
revocation-check none
rsakeypair TP-self-signed-2066324434
!
crypto pki certificate chain TP-self-signed-2066324434
certificate self-signed 01
[snip]
quit
voice-card 0
!
username XXXX privilege 15 [snip]
!
redundancy
!
ip ssh version 2
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0/1
ip address dhcp
duplex auto
speed auto
!
interface GigabitEthernet0/2
no ip address
shutdown
duplex auto
speed auto
!
ip forward-protocol nd
!
no ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
access-list 10 permit ...
!
radius server Radius-Server
address ipv4 192.168.1.1 auth-port 1812 acct-port 1813
key 7 XXXXX
!
control-plane
!
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
access-class 10 in
privilege level 15
transport input ssh
line vty 5 15
access-class 10 in
privilege level 15
transport input ssh
!
scheduler allocate 20000 1000
end
I've removed the dull list of all the WAN interfaces.
GTG
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide