07-03-2002 05:58 AM - edited 02-21-2020 10:01 AM
I have a 3640 used for RAS. The remote users need a post dial terminal window for a form of token Authentication. This is specified with the LOGIN command. When I try and telnet in I am promted for username/password which passess but the telnet fails. The RADIUS server being used does not specify a telnet parameter, so tries to use PPP for telnet. If I remove Login RADIUS then the remote users get no output from thier post dial window. Can I specify that telnet is only locally authenticated, and therefore not effect any remote users needing to use login?
Any help would be greatly appreciated.
I have attached current config.
service password-encryption
service udp-small-servers
service tcp-small-servers
!
!
aaa new-model
aaa authentication login default group radius
aaa authentication ppp default if-needed group radius
aaa authorization exec default group radius
aaa authorization network default group radius
aaa accounting exec default start-stop group radius
aaa accounting network default start-stop group radius
enable secret 5 $1$CMCO$IMo3eQ0NJO/l/yNfwdfOT0
!
ip subnet-zero
!
!
!
interface Ethernet0/1
ip address
no ip proxy-arp
full-duplex
!
interface Ethernet0/2
ip address
no ip proxy-arp
full-duplex
!
interface Ethernet0/3
ip address
ip address
ip helper-address
load-interval 30
full-duplex
!
interface Serial1/0
description 'Link to Warricker Centre'
ip address
priority-group 1
serial restart-delay 0
!
interface Serial1/1
description Link to Basement Upney Lane
ip address
serial restart-delay 0
!
interface Serial1/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/3
no ip address
shutdown
serial restart-delay 0
!
interface Group-Async1
ip unnumbered Ethernet0/3
encapsulation ppp
no ip mroute-cache
dialer in-band
dialer idle-timeout 600
dialer-group 1
async mode interactive
peer default ip address dhcp
no fair-queue
ppp authentication chap
group-range 65 72
!
ip classless
ip http server
ip pim bidir-enable
!
priority-list 1 protocol ip high tcp telnet
dialer-list 1 protocol ip permit
!
radius-server host 15.10.30.4 auth-port 1645 acct-port 1646
radius-server retransmit 3
radius-server key 7 0807697C3B38373E
!
line con 0
line 65 72
exec-timeout 0 0
modem InOut
transport preferred none
transport input all
transport output none
autoselect during-login
autoselect ppp
line aux 0
line vty 0 4
password 7 09435C081702124359
!
end
07-03-2002 08:32 PM
Hi :)
You'll need to create a different method list for AAA that you can apply to your vty line. The term local means using a username/password that resides on your router. However looking at you configuration, you have no username/passwords configured so I assume that you want to simply get a password prompt when you telnet to the router. If I have understood you correctly then configure the following. As you haven't provided a show version I'm assuming that you're running the latest code:
aaa authentication login vtylines line none
aaa authorization exec vtylines none
line vty 0 4
login authentication vtylines
authorization exec vtylines
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: