Showing results for 
Search instead for 
Did you mean: 

Separate login authentication for telnet and SSH

Trent Hewitt

Hello all,

I am implementing and ACS solution for authentication and authorization of my Cisco devices. So far everything Switch-ACS is working. I also want users to have to authenticate themselves with AD when they connect over SSH. That is currently working. As a failsafe incase the ACS fails, I would like users to be able to use local credentials via TELNET. This I cannot get working.

I configured VTY ports 0-4 for SSH only and attached the group for TACACS.

I configured VTY ports 5-15 for TELNET only and attached the group for LOCAL authentication.

When I connect using SSH, all is well. When I try using TELNET it does not allow me to log in (its trying to authenticate with AD).

Here is the config I have:

aaa authentication login CONSOLE local

aaa authentication login SSH group tacacs+

aaa authentication dot1x default group radius

aaa authorization exec default group tacacs+

aaa authorization network default group radius

aaa accounting system default start-stop group tacacs+

line con 0

exec-timeout 15 0

password 7 xxxxxxxx

login authentication CONSOLE

line vty 0 4

exec-timeout 15 0

password 7 xxxxxxxx

login authentication SSH

transport input telnet ssh

line vty 5 15

exec-timeout 15 0

password 7 xxxxxxx

login authentication CONSOLE

transport input ssh

Any help is appreciated.


0 Replies 0
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: