cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4686
Views
0
Helpful
5
Replies
Highlighted
Beginner

Unable to login on console after RADIUS configuration on switch.

I'm having some problems logging on to a switch via console after applying RADIUS-config.

When using telnet I can log on.

 

But when trying to log on via console I'm getting:

 

User Access Verification

Username: xxx
Password: xxx

% Authentication failed

 

What I want to acheive here is to use radius for telnet & ssh, and the local user account for console.

 

What am I missing here?

Here's my aaa config.

 

aaa authentication login default group radius local
aaa authentication enable default group radius enable
aaa authorization console
aaa authorization exec default group radius local 

 

 

 

Thanks!

5 REPLIES 5
Beginner

Hi, What config did you apply

Hi,

 

What config did you apply on your 'line con 0'?

 

Kind regards

Beginner

line con 0 logging

line con 0
 logging synchronous
 stopbits 1

 

 

Beginner

Hi, Don't lock yourself out

Hi,

 

Don't lock yourself out from the router but try this:

 

user <user> password <password>
!
aaa authentication login default group radius enable
aaa authentication login no_radius enable
!
line con 0
password <password>
login authentication no_radius

 

Kind regards

Beginner

 What exactly am I achieving

 What exactly am I achieving with this?

I want to have fallback on local username password, not enable pw

 

Could you explain a bit more as to what this config does?

 

/Regards

 

Beginner

Sorry, I was too fast. Cut

Sorry, I was too fast. Cut and paste error from my notes. Anyway, the basics are when you want to enable AAA on IOS, but for console access you want to use the local database then you need to do following steps:

1. Define local usernames: username xxx password yyy

2. Configure aaa new-model

3. Configure a named AAA authentication list: aaa authentication login LIST local

4. Attach the named AAA authentication list to the console line: login authentication LIST

 

If you want to use the local database only as fallback in case the aaa servers are not responding you use: aaa authentication login LIST group radius local 

 

In above example no_radius is your LIST name. So, if you remove the password from the line con 0, and change aaa authentication login no_radius enable to aaa authentication login no_radius local, and attach this one to your line con 0, you will be using the local database for line con 0. The default list is still used on tty, vty and aux.

 

If you use aaa authentication login no_radius group radius local instead of aaa authentication login no_radius local you are using the local database as a fallback.

 

Kind regards

(Sorry, not able to test this at this time so this is purely theory from my notes)