cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1131
Views
0
Helpful
2
Replies

Local console & RADIUS failure

Gordon Ross
Level 9
Level 9

I'm running various Cicso devices with IOS 15.x

I've configured AAA and Radius:

aaa new-model

!

!

aaa authentication login default group radius local

aaa authorization exec default group radius if-authenticated

aaa accounting exec default start-stop group radius

aaa accounting system default start-stop group radius

radius server foo

address ipv4 192.168.1.1 auth-port 1812 acct-port 1813

key 7 ..

When everything is running fine, I can login either via SSH or via the local console and use my radius authentication.

But when there is a problem (e.g. router not connected to network) I'm unable to login to the console. In fact, I'm unable to even get a login prompt! All I get is:

User Access Verification

% Authentication failed

% Authentication failed

% Authentication failed

Which is scrolled off the screen.

I do have a local user configured:

username myadmin privilege 15 secret 5 ...

If the Radius server is offline (but the box is on the network) I can SSH in with the backup username/password. But if the box is not connected to the network at all, I can't get it at all! I end up having to reboot and bypass the local config :-(

What do I need to change, to get a console login prompt when the network is down ?

Thanks,

GTG

Please rate all helpful posts.
2 Replies 2

Jatin Katyal
Cisco Employee
Cisco Employee

Could you please attach the complete running-config?

Jatin Katyal
- Do rate helpful posts -

~Jatin

version 15.1

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname cnh-vgway-2

!

boot-start-marker

boot-end-marker

!

!

card type e1 0 0

card type e1 0 1

logging buffered 51200 warnings

!

aaa new-model

!

aaa authentication login default group radius local

aaa authorization exec default group radius if-authenticated

aaa accounting exec default start-stop group radius

aaa accounting system default start-stop group radius

!

aaa session-id common

clock timezone GMT 0 0

clock summer-time BST recurring last Sun Mar 1:00 last Sun Oct 2:00

!

no ipv6 cef

ip source-route

ip cef

!

ip domain name acme.com

multilink bundle-name authenticated

!

crypto pki token default removal timeout 0

!

crypto pki trustpoint TP-self-signed-2066324434

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-2066324434

revocation-check none

rsakeypair TP-self-signed-2066324434

!

crypto pki certificate chain TP-self-signed-2066324434

certificate self-signed 01

[snip]

      quit

voice-card 0

!

username XXXX privilege 15 [snip]

!

redundancy

!

ip ssh version 2

!

interface Embedded-Service-Engine0/0

no ip address

shutdown

!

interface GigabitEthernet0/0

no ip address

shutdown

duplex auto

speed auto

!

interface GigabitEthernet0/1

ip address dhcp

duplex auto

speed auto

!

interface GigabitEthernet0/2

no ip address

shutdown

duplex auto

speed auto

!

ip forward-protocol nd

!

no ip http server

ip http authentication local

no ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

access-list 10 permit ...

!

radius server Radius-Server

address ipv4 192.168.1.1 auth-port 1812 acct-port 1813

key 7 XXXXX

!

control-plane

!

!

line con 0

line aux 0

line 2

no activation-character

no exec

transport preferred none

transport input all

transport output pad telnet rlogin lapb-ta mop udptn v120 ssh

stopbits 1

line vty 0 4

access-class 10 in

privilege level 15

transport input ssh

line vty 5 15

access-class 10 in

privilege level 15

transport input ssh

!

scheduler allocate 20000 1000

end

I've removed the dull list of all the WAN interfaces.

GTG

Please rate all helpful posts.