Re: AAA Radius server authentication not working correctly

studmuffin · ‎08-27-2020

I am trying to get a router to login to radius and i can get it to authenticate successuly but i cant login via ssh

StudmuffinVoiceRouter#$me StudmuffinDC ThePlague Gi604132323 legacy
Attempting authentication test to server-group radius using radius
User was successfully authenticated.

StudmuffinVoiceRouter#show run
Building configuration...

aaa new-model
!
!
aaa group server radius StudsServers
server name StudmuffinDC
!
aaa authentication login default local group StudsServers
aaa authorization console
aaa authorization exec default local group StudsServers
aaa authorization network default local group StudsServers

no ip domain lookup
ip domain name Studmuffin.com

username Studmuffin privilege 15 password 0 ******

interface GigabitEthernet0/0
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0/0.20
encapsulation dot1Q 20
ip address 192.168.20.2 255.255.255.0
!
interface GigabitEthernet0/0.100
encapsulation dot1Q 100
ip address 192.168.100.3 255.255.255.0
!

ip default-gateway 192.168.100.1
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 192.168.100.1

radius server StudmuffinDC
address ipv4 192.168.40.50 auth-port 1812 acct-port 1813
key *******
!
!
!
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
logging synchronous
transport input ssh
line vty 5 15
logging synchronous
transport input ssh
!
scheduler allocate 20000 1000
ntp server 34.208.249.133
!
!
pnp profile pnp_cco_profile
transport https ipv4 18.205.167.7 port 443
end

here is my current running config and a video is supplied with what is currently happening

(view in My Videos)

Seb Rupik · ‎08-28-2020

Hi there,

You need to re-sequence your AAA statements to consult the radius group before local:

!
aaa authentication login default group StudsServers local
aaa authorization exec default group StudsServers local
aaa authorization network default group StudsServers local
!

cheers,

Seb.

balaji.bandi · ‎08-28-2020

Your order is Local and Radius, Try using Local username it should work.

if that is working move order radisu and then if fails local ( make sure you test before you write) - if not you going to lock yourself.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

studmuffin · ‎08-28-2020

This is the error after i do those error corrections

studmuffin · ‎08-29-2020

Sadly It still does not work

Richard Burts · ‎08-30-2020

I am interested in the screen shot that shows the attempt to login, has a user name, prompts for a password, and then has a message saying that this line may not run ppp. Can you tell us more about this environment? How did you initiate this connection (if an emulator, which one? if a browser, which one?) and to what address (or interface) did you attempt to connect? Also can you verify that the user name you were attempting to use is configured on this device as a local user with a valid password?

Perhaps it might be helpful if you would post a fresh copy of the configuration.

HTH

Rick

studmuffin · ‎08-30-2020

So the Setup is a 2901 Router ( the Device I am Trying to login to) a VMware ESXI Virtual Machine Running windows server 2019 with NPS for radius. and how I am trying to login is by using putty to ssh in to the router and when i login to the router with the radius login i get that error I am a student and I dont know to much about nps and Radius so i am kind of stumped

Richard Burts · ‎08-30-2020

Thanks for the additional information. So you are on an ESXI machine using putty to access the 2901. Can you confirm that there is IP connectivity between the ESXI machine and the 2901 (from a command prompt on ESXI can you successfully ping the 2901?)

Also if there have been config changes on the 2901 can you provide a fresh copy to the config?

HTH

Rick

studmuffin · ‎08-30-2020

Everything can ping trust me it is not a connection issue

studmuffin · ‎08-30-2020

The Last provided config is the latest config