Showing results for 
Search instead for 
Did you mean: 

Unable to login on console after RADIUS configuration on switch.

Martin Ostberg

I'm having some problems logging on to a switch via console after applying RADIUS-config.

When using telnet I can log on.


But when trying to log on via console I'm getting:


User Access Verification

Username: xxx
Password: xxx

% Authentication failed


What I want to acheive here is to use radius for telnet & ssh, and the local user account for console.


What am I missing here?

Here's my aaa config.


aaa authentication login default group radius local
aaa authentication enable default group radius enable
aaa authorization console
aaa authorization exec default group radius local 





5 Replies 5




What config did you apply on your 'line con 0'?


Kind regards

line con 0
 logging synchronous
 stopbits 1





Don't lock yourself out from the router but try this:


user <user> password <password>
aaa authentication login default group radius enable
aaa authentication login no_radius enable
line con 0
password <password>
login authentication no_radius


Kind regards

 What exactly am I achieving with this?

I want to have fallback on local username password, not enable pw


Could you explain a bit more as to what this config does?




Sorry, I was too fast. Cut and paste error from my notes. Anyway, the basics are when you want to enable AAA on IOS, but for console access you want to use the local database then you need to do following steps:

1. Define local usernames: username xxx password yyy

2. Configure aaa new-model

3. Configure a named AAA authentication list: aaa authentication login LIST local

4. Attach the named AAA authentication list to the console line: login authentication LIST


If you want to use the local database only as fallback in case the aaa servers are not responding you use: aaa authentication login LIST group radius local 


In above example no_radius is your LIST name. So, if you remove the password from the line con 0, and change aaa authentication login no_radius enable to aaa authentication login no_radius local, and attach this one to your line con 0, you will be using the local database for line con 0. The default list is still used on tty, vty and aux.


If you use aaa authentication login no_radius group radius local instead of aaa authentication login no_radius local you are using the local database as a fallback.


Kind regards

(Sorry, not able to test this at this time so this is purely theory from my notes)


Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers