Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
288
Views
0
Helpful
6
Replies

user without ssh, console port only

Andrzej121
Level 1
Level 1

‎07-11-2024 01:51 AM - edited ‎07-11-2024 01:53 AM

Hi, in my configuration there are several users and a radius server, I log in to everything with SSH.
Now I need to create a user that can only be connected via the console port.

and as soon as I create a user with the command

username cisco privilege 15 password 0 cisco

So I log in to it via ssh my vty looks like this:
line vty 0 4
session-timeout 60
transport input ssh

How to block ssh in user cisco?

Labels:
0 Helpful
6 Replies 6

Torbjørn
Spotlight
Spotlight

‎07-11-2024 02:21 AM

What does your aaa config look like?

You can specify login for console and the VTYs separately like so:

! Default login for everything but console that excludes local useraccounts
aaa authentication login default group radius
!  Login for console specifically that only allows local useraccounts
aaa authentication login CONSOLE local
Happy to help! Please mark as helpful/solution if applicable.
Get in touch: https://torbjorn.dev
0 Helpful

Andrzej121
Level 1
Level 1

‎07-11-2024 02:42 AM

aaa authentication login default local group radius
aaa authentication login xxxx local
aaa authentication login cisco local
aaa authorization exec default local group radius
aaa authorization network default local group radius
aaa accounting exec default start-stop group radius
aaa accounting system default start-stop group radius

0 Helpful

Torbjørn
Spotlight
Spotlight
In response to Andrzej121

‎07-11-2024 03:21 AM - edited ‎07-11-2024 03:22 AM

Your current settings for "default" authentication is to authenticate to local users first and fallback to radius if local auth fails.

Here are a couple suggestions to AAA config for default authentication(any authentication that is not otherwise specified):

 

! Authenticate with radius first, fallback to local user authentication in case RADIUS is unavailable .
aaa authentication login default group radius local
! Allow _only_ RADIUS auth.
aaa authentication login default group radius

 

Here are a couple suggestions to AAA config for console access:

 

! Allow fallback local user authentication for SSH in case RADIUS is unavailable .
aaa authentication login console group radius local
! Allow _only_ local auth for console access
aaa authentication login console local

 

 

 

Happy to help! Please mark as helpful/solution if applicable.
Get in touch: https://torbjorn.dev
0 Helpful

Andrzej121
Level 1
Level 1

‎07-11-2024 04:48 AM

but at this moment user xxxx also does not have SSH access. Is it possible that the xxxx user will have access via SSH and the cisco user will only have access via the console port?

0 Helpful

MHM Cisco World
VIP
VIP
In response to Andrzej121

‎07-11-2024 05:22 AM

You can use 

Line console 0

Login 

Password xxxx

Note:- this way device ask for password only not ask both username and password 

Note:- add enable password to device 

Note:- make so so sure you can access via vty and console before WR 

MHM

0 Helpful

Andrzej121
Level 1
Level 1

‎07-11-2024 06:19 AM - edited ‎07-11-2024 06:44 AM

If I have it this way

aaa authentication login default local group radius

and I'll add it
Line console 0
login cisco
Password xxxx

then I can access user xxxx and cisco via ssh,
and when I have this:

aaa authentication login default group radius

I can't access user xxxx and cisco via ssh, And I would like to get to user xxxx via ssh, but not cisco.

I started to wonder if it is possible what I want to do, my device is cisco C921-4P

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card