Solved: Re: setup different authentication order for different methods

berkleyapac · ‎03-13-2019

Hi Guys,

first of all apologies for the confusing title.

I have a very peculiar request about setting up different authentication order on different lines.

for e.g if you are trying to log on to device via telnet/ssh (vty) then it should look for Radius first and then Local and if you are trying to log on to device via console then first it would look at local database and then go to radius.

As of the moment I cannot issue the command

line con 0 
login local

Below is the router info FYI

Router # show version
Cisco IOS XE Software, Version 03.16.02.S - Extended Support Release
Cisco IOS Software, ISR Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 15.5(3)S2, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2016 by Cisco Systems, Inc.
Compiled Thu 11-Feb-16 08:58 by mcpre

Cisco IOS-XE software, Copyright (c) 2005-2016 by cisco Systems, Inc.
All rights reserved. Certain components of Cisco IOS-XE software are
licensed under the GNU General Public License ("GPL") Version 2.0. The
software code licensed under GPL Version 2.0 is free software that comes
with ABSOLUTELY NO WARRANTY. You can redistribute and/or modify such
GPL code under the terms of GPL Version 2.0. For more details, see the
documentation or "License Notice" file accompanying the IOS-XE software,
or the applicable URL provided on the flyer accompanying the IOS-XE
software.

ROM: IOS-XE ROMMON

AUNRE01-RWPDC01 uptime is 2 years, 25 weeks, 2 days, 23 hours, 9 minutes
Uptime for this control processor is 2 years, 25 weeks, 2 days, 23 hours, 10 minutes
System returned to ROM by reload at 09:41:05 EAST Sat Sep 17 2016
System restarted at 09:43:29 EAST Sat Sep 17 2016
System image file is "bootflash:isr4400-universalk9.03.16.02.S.155-3.S2-ext.SPA.bin"
Last reload reason: Reload Command

This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

Suite License Information for Module:'esg'

--------------------------------------------------------------------------------
Suite Suite Current Type Suite Next reboot
--------------------------------------------------------------------------------
FoundationSuiteK9 None None None
securityk9
appxk9

AdvUCSuiteK9 None None None
uck9
cme-srst
cube

Technology Package License Information:

-----------------------------------------------------------------
Technology Technology-package Technology-package
Current Type Next reboot
------------------------------------------------------------------
appxk9 None None None
uck9 uck9 Permanent uck9
securityk9 None None None
ipbase ipbasek9 Permanent ipbasek9

cisco ISR4451-X/K9 (2RU) processor with 1655569K/6147K bytes of memory.
Processor board ID FGL1944123V
4 Gigabit Ethernet interfaces
32768K bytes of non-volatile configuration memory.
4194304K bytes of physical memory.
7341807K bytes of flash memory at bootflash:.

Configuration register is 0x2102

Router# show ver | b line con 0
line con 0
session-timeout 20
exec-timeout 30 0
timeout login response 300
privilege level 15
logging synchronous
stopbits 1
line aux 0
session-timeout 20
exec-timeout 30 0
timeout login response 300
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
session-timeout 20
exec-timeout 20 0
timeout login response 300
transport preferred none
transport input ssh
line vty 5 15
session-timeout 20
exec-timeout 20 0
timeout login response 300
transport preferred none
transport input ssh
!

Can you please shed some light on this one please?

Thanks

Mike.Cifelli · ‎03-19-2019

You can configure more than one aaa authentication methods and then reference each one separately. For example, configure one for just local and another for radius & then fallback to local. Then on console call the just local method & on your vty lines call the radius/local method.

View solution in original post

Mike.Cifelli · ‎03-14-2019

Under your AAA config deploy another authentication string that you will then call on your line con 0 config. It should look something like this:

#aaa authentication login CONSOLE local
#line con 0
##login authentication CONSOLE

HTH!

berkleyapac · ‎03-18-2019

Hello mike

thanks for your response, it did work but then it wouldnr failover to radius

Here is the current config for the reference

aaa group server radius NPS
server name NPS1
server name NPS2
!
aaa authentication login default group NPS local-case

!

radius server NPS1
address ipv4 172.226.2.1 auth-port 1645 acct-port 1646
key 7 06112E
!
radius server NPS2
address ipv4 172.225.2.1 auth-port 1645 acct-port 1646
key 7 06112E

line con 0
session-timeout 20
exec-timeout 3 0
timeout login response 300
privilege level 15
logging synchronous
stopbits 1
line aux 0
stopbits 1
line vty 0 4
session-timeout 3
exec-timeout 3 0
timeout login response 300
transport preferred none
transport input ssh
line vty 5 15
session-timeout 3
exec-timeout 3 0
timeout login response 300
transport preferred none
transport input ssh
!

Mike.Cifelli · ‎03-19-2019

You can configure more than one aaa authentication methods and then reference each one separately. For example, configure one for just local and another for radius & then fallback to local. Then on console call the just local method & on your vty lines call the radius/local method.