Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8864
Views
7
Helpful
8
Replies

Unable to login on console after RADIUS configuration on switch.

Go to solution
Martin Ostberg
Level 1
Level 1

‎11-20-2014 02:39 AM - edited ‎03-10-2019 10:11 PM

I'm having some problems logging on to a switch via console after applying RADIUS-config.

When using telnet I can log on.

 

But when trying to log on via console I'm getting:

 

User Access Verification

Username: xxx
Password: xxx

% Authentication failed

 

What I want to acheive here is to use radius for telnet & ssh, and the local user account for console.

 

What am I missing here?

Here's my aaa config.

 

aaa authentication login default group radius local
aaa authentication enable default group radius enable
aaa authorization console
aaa authorization exec default group radius local

 

 

 

Thanks!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
poongarg
Cisco Employee
Cisco Employee

‎04-29-2023 10:50 PM

Hello Martin,

The default authentication and Authorization applies to all lines irrespective of console or VTY lines. To use local account for console, you need to create a separate method list (instead of using default authC and authZ) and apply it to the line console.

Also since you have enabled console authorization (which is disabled by default), you need to create a method list for console authorization as well or remove the command "aaa authorization console"

Here is the process to create the method list:

First option:

aaa authentication login <method list name> local

no aaa authorization console

Line console 0

login authentication <method list name>

 

Second option:

aaa authentication login <method list name> local

aaa authorization exec <method list name> local

line console 0

login authentication <method list name>

authorization exec <method list name>

HTH

 

View solution in original post

8 Replies 8

Go to solution
Robenneke
Level 1
Level 1

‎11-20-2014 06:25 AM

Hi,

 

What config did you apply on your 'line con 0'?

 

Kind regards

0 Helpful

Go to solution
Martin Ostberg
Level 1
Level 1
In response to Robenneke

‎11-20-2014 06:29 AM

line con 0
 logging synchronous
 stopbits 1

 

 

0 Helpful

Go to solution
Robenneke
Level 1
Level 1
In response to Martin Ostberg

‎11-20-2014 06:38 AM

Hi,

 

Don't lock yourself out from the router but try this:

 

user <user> password <password>
!
aaa authentication login default group radius enable
aaa authentication login no_radius enable
!
line con 0
password <password>
login authentication no_radius

 

Kind regards

0 Helpful

Go to solution
Martin Ostberg
Level 1
Level 1
In response to Robenneke

‎11-21-2014 12:30 AM

 What exactly am I achieving with this?

I want to have fallback on local username password, not enable pw

 

Could you explain a bit more as to what this config does?

 

/Regards

 

0 Helpful

Go to solution
Robenneke
Level 1
Level 1
In response to Martin Ostberg

‎11-21-2014 01:57 AM

Sorry, I was too fast. Cut and paste error from my notes. Anyway, the basics are when you want to enable AAA on IOS, but for console access you want to use the local database then you need to do following steps:

1. Define local usernames: username xxx password yyy

2. Configure aaa new-model

3. Configure a named AAA authentication list: aaa authentication login LIST local

4. Attach the named AAA authentication list to the console line: login authentication LIST

 

If you want to use the local database only as fallback in case the aaa servers are not responding you use: aaa authentication login LIST group radius local 

 

In above example no_radius is your LIST name. So, if you remove the password from the line con 0, and change aaa authentication login no_radius enable to aaa authentication login no_radius local, and attach this one to your line con 0, you will be using the local database for line con 0. The default list is still used on tty, vty and aux.

 

If you use aaa authentication login no_radius group radius local instead of aaa authentication login no_radius local you are using the local database as a fallback.

 

Kind regards

(Sorry, not able to test this at this time so this is purely theory from my notes)

 

Go to solution
jdiveney1
Level 1
Level 1
In response to Robenneke

‎04-28-2023 07:58 AM

Just throwing this out there. I put the same programming into my old 2012 NPS server this morning and it works fine. The problem server is a Windows Server 2022. 

0 Helpful

Go to solution
jdiveney1
Level 1
Level 1
In response to jdiveney1

‎04-28-2023 08:26 AM

Sorry, wrong group.

0 Helpful

Go to solution
poongarg
Cisco Employee
Cisco Employee

‎04-29-2023 10:50 PM

Hello Martin,

The default authentication and Authorization applies to all lines irrespective of console or VTY lines. To use local account for console, you need to create a separate method list (instead of using default authC and authZ) and apply it to the line console.

Also since you have enabled console authorization (which is disabled by default), you need to create a method list for console authorization as well or remove the command "aaa authorization console"

Here is the process to create the method list:

First option:

aaa authentication login <method list name> local

no aaa authorization console

Line console 0

login authentication <method list name>

 

Second option:

aaa authentication login <method list name> local

aaa authorization exec <method list name> local

line console 0

login authentication <method list name>

authorization exec <method list name>

HTH

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents