This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
I'm having some problems logging on to a switch via console after applying RADIUS-config.
When using telnet I can log on.
But when trying to log on via console I'm getting:
User Access Verification Username: xxx Password: xxx % Authentication failed
What I want to acheive here is to use radius for telnet & ssh, and the local user account for console.
What am I missing here?
Here's my aaa config.
aaa authentication login default group radius local aaa authentication enable default group radius enable aaa authorization console aaa authorization exec default group radius local
Don't lock yourself out from the router but try this:
user <user> password <password>
aaa authentication login default group radius enable
aaa authentication login no_radius enable
line con 0
login authentication no_radius
What exactly am I achieving with this?
I want to have fallback on local username password, not enable pw
Could you explain a bit more as to what this config does?
Sorry, I was too fast. Cut and paste error from my notes. Anyway, the basics are when you want to enable AAA on IOS, but for console access you want to use the local database then you need to do following steps:
1. Define local usernames: username xxx password yyy
2. Configure aaa new-model
3. Configure a named AAA authentication list: aaa authentication login LIST local
4. Attach the named AAA authentication list to the console line: login authentication LIST
If you want to use the local database only as fallback in case the aaa servers are not responding you use: aaa authentication login LIST group radius local
In above example no_radius is your LIST name. So, if you remove the password from the line con 0, and change aaa authentication login no_radius enable to aaa authentication login no_radius local, and attach this one to your line con 0, you will be using the local database for line con 0. The default list is still used on tty, vty and aux.
If you use aaa authentication login no_radius group radius local instead of aaa authentication login no_radius local you are using the local database as a fallback.
(Sorry, not able to test this at this time so this is purely theory from my notes)