cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Community Helping Community

1758
Views
0
Helpful
0
Replies
Highlighted
Beginner

Separate login authentication for telnet and SSH

Hello all,

I am implementing and ACS solution for authentication and authorization of my Cisco devices. So far everything Switch-ACS is working. I also want users to have to authenticate themselves with AD when they connect over SSH. That is currently working. As a failsafe incase the ACS fails, I would like users to be able to use local credentials via TELNET. This I cannot get working.

I configured VTY ports 0-4 for SSH only and attached the group for TACACS.

I configured VTY ports 5-15 for TELNET only and attached the group for LOCAL authentication.

When I connect using SSH, all is well. When I try using TELNET it does not allow me to log in (its trying to authenticate with AD).

Here is the config I have:

aaa authentication login CONSOLE local

aaa authentication login SSH group tacacs+

aaa authentication dot1x default group radius

aaa authorization exec default group tacacs+

aaa authorization network default group radius

aaa accounting system default start-stop group tacacs+

line con 0

exec-timeout 15 0

password 7 xxxxxxxx

login authentication CONSOLE

line vty 0 4

exec-timeout 15 0

password 7 xxxxxxxx

login authentication SSH

transport input telnet ssh

line vty 5 15

exec-timeout 15 0

password 7 xxxxxxx

login authentication CONSOLE

transport input ssh

Any help is appreciated.

Trent

Everyone's tags (6)
CreatePlease to create content
Content for Community-Ad
July's Community Spotlight Awards