Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
456
Views
1
Helpful
1
Replies

Unable to authenticate in Console, but can via SSH

Go to solution
JXGulotta
Level 1
Level 1

‎06-17-2024 10:34 AM

Having issues setting up a AAA configuration. Currently, we have a RADIUS server group that is set to be the default, however when I try to log in to a switch via console cable, it is unable to authenticate to the RADIUS server and it is unable to use the local account. I'm having the same issue across 3560, 3750, 3650, and 9300 Catalyst switches in our environment. ideally the end state would be to allow console connections to authenticate to the RADIUS server. Configs to follow:

 

aaa new-model
!
!
aaa group server radius [server group name]
 server name [server1]
 server name [server2]
!
aaa authentication login default group [server group name] local
aaa authentication enable default group [server group name] enable
aaa authorization config-commands
aaa authorization exec default group [server group name] local
aaa authorization configuration default group [server group name]
aaa accounting exec default start-stop group [server group name]
!
aaa session-id common
!
radius server [server1]
 address ipv4 [IP Address] auth-port [port] acct-port [port]
 timeout 3
 key [key]
!
!
radius server [server2]
 address ipv4 [IP Address] auth-port [port] acct-port [port]
 timeout 3
 key [key]
!
!
line con 0
 stopbits 1
line vty 0 4
 transport input ssh
line vty 5 15
 transport input ssh
!

 

It was my understanding that "aaa authentication login default group [server group name] local" would make the server group the default authentication path for all 3 connection types (CON, AUX, and VTY).

 

Any help would be greatly appreciated.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Arne Bier
VIP
VIP

‎06-17-2024 04:10 PM

I don't tend to rely on the default method list. Instead, I create a CON_AUTHN, CON_AUTHZ, and VTY_AUTHN and VTY_AUTHZ method list, and then apply it to the con and vty lines respectively.

e.g.

aaa authentication login CON_AUTHN group TAC_ISE local
aaa authentication login VTY_AUTHN group TAC_ISE local
aaa authorization console
aaa authorization exec CON_AUTHZ group TAC_ISE local if-authenticated
aaa authorization exec VTY_AUTHZ group TAC_ISE local if-authenticated
!
line con 0
 authorization exec CON_AUTHZ
 login authentication CON_AUTHN
!
line vty 0 4
 authorization exec VTY_AUTHZ
 login authentication VTY_AUTHN

View solution in original post

1 Reply 1

Go to solution
Arne Bier
VIP
VIP

‎06-17-2024 04:10 PM

I don't tend to rely on the default method list. Instead, I create a CON_AUTHN, CON_AUTHZ, and VTY_AUTHN and VTY_AUTHZ method list, and then apply it to the con and vty lines respectively.

e.g.

aaa authentication login CON_AUTHN group TAC_ISE local
aaa authentication login VTY_AUTHN group TAC_ISE local
aaa authorization console
aaa authorization exec CON_AUTHZ group TAC_ISE local if-authenticated
aaa authorization exec VTY_AUTHZ group TAC_ISE local if-authenticated
!
line con 0
 authorization exec CON_AUTHZ
 login authentication CON_AUTHN
!
line vty 0 4
 authorization exec VTY_AUTHZ
 login authentication VTY_AUTHN
Top