Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
920
Views
0
Helpful
1
Replies

Unexpected AAA Behavior in Lab Setup

Scott Pickles
Level 4
Level 4

‎12-13-2009 03:20 PM - edited ‎03-10-2019 04:50 PM

I have attatched the config for my lab router in its entirety.  The lab is air-gapped so I'm not scrubbing anything from its config.  I configured some example server groups, and the servers are dummy servers to force a failed connection so that my understanding of the processing of an aaa authentication list is validated.  My final login option is local, and I have a user with privilege level 15 specified.  However, when I configured the telnet lines to use my list configured as 'RADIUS', I got an error stating that the list didn't exist.  But when you look at the config, it is there on the vty lines.  Also, when I login via telnet, I am not in privileged mode and I have to enter it manually.  Below is the output on the router as I configured my aaa new-model:

3825_Lab(config)#aaa group server radius RADIUS_PRIMARY
3825_Lab(config-sg-radius)#server 192.168.200.2
3825_Lab(config-sg-radius)#exit
3825_Lab(config)#aaa group server radius RADIUS_BACKUP
3825_Lab(config-sg-radius)#server 192.168.200.3
3825_Lab(config-sg-radius)#exit
3825_Lab(config)#aaa group server tacacs+ TACACS_PRIMARY
3825_Lab(config-sg-tacacs+)#server 192.168.200.4
3825_Lab(config-sg-tacacs+)#exit
3825_Lab(config)#aaa group server tacacs+ TACACS_BACKUP
3825_Lab(config-sg-tacacs+)#server 192.168.200.5
3825_Lab(config-sg-tacacs+)#exit
3825_Lab(config)#aaa authentication login RADIUS group RADIUS_PRIMARY group RADIUS_BACKUP local
3825_Lab(config)#aaa authentication login TACACS group TACACS_PRIMARY group TACACS_BACKUP local
3825_Lab(config)#lin vty 0 4
3825_Lab(config-line)#login authentication RADIUS
AAA: Warning authentication list "RADIUS" is not defined for LOGIN.  <-----------------  Huh?  Didn't I just create that list 4 lines previous?

From the 'show run' it is applied to the interface:


line vty 0 4
logging synchronous
login authentication RADIUS

Since my server groups are dummy groups, it should fail the radius lookup due to no server response and fall back to 'local' authentication.  So why when I telnet in do I get dropped into 'user exec' mode rather than 'privileged exec' mode?  My username statement is:

username admin privilege 15 password 0 admin

Any suggestions?

Regards,
Scott

Labels:
36767-Router aaa new-model config.txt.zip
0 Helpful
1 Reply 1

rtjensen4
Level 4
Level 4

‎12-14-2009 08:40 AM

You may need to adjust somthing with the authorization settings. aaa authorization exec RADIUS group RADIUS_PRIMARY group RADIUS_BACKUP local maybe?

0 Helpful
Customers Also Viewed These Support Documents